Soul BLOG !!
Lcx, Jianxin, and so on were already using this syntax in, and I waited for the younger generation to see it recently ......
There is no injection point for testing at the moment. First, experiment with MSSQL on my machine.
The following statements allow me to directly write the complete SQL statement, which can be used after a slight change during injection.
Suppose there is an injection point. The structure of the queried table is as follows:
But we do not know that we do not know the name of the column ....
If the original SQL statement for this injection point is: "select * from FK_admin where x_name =" & username &""
Enter zerosoul having 1 = 1 --
The entire SQL statement becomes select * from FK_admin where x_name = zerosoul having 1 = 1 --
If the returned result is as follows, the id indicating FK_admin and the first column name can be burst out:
Then submit zerosoul group by id having 1 = 1 --
The second column named x_name also came out, for example:
Then submit zerosoul group by id, x_name having 1 = 1 --, and the third column name x_pass is displayed, for example:
Then, submit zerosoul group by id, x_name, x_pass having 1 = 1 -- to display the last column x_level.
The rest is relatively simple.
Of course, if it is SA, you can also use (select count (*) from master. dbo. sysdatabases where dbid = 5) = 1 directly guesses the system database of MSSQL to obtain some sensitive information. The above method also passed the test under the DBO permission.
I think I learned SQL statements too much. I only learned the basic syntax (which seems to be the case for most people). lcx and Jianxin may learn more deeply. If I have time, I have to go further.
If you have studied this technology deeply, you may be able to come up with some amazing tricks. Especially in Oracle, there is also a large SQL statement waiting for people to explore it.
Yesterday, all night till now .... I had to shut down my computer and prepare to go to bed. I suddenly remembered this when I went to the toilet .... I was afraid that I would forget it if I put it down first, so I started my computer and practiced it. By the way, I made this note.
