Further discussion on union select IN MSSQL

Union query can be said to give SQL injection a new sky, mysql and acc can play a great role, so what will happen in mssql? In fact, I started to test the union in mssql very early, but I made a big mistake and thought that the union in mssql would be affected by the "data type conversion error, however, I am not sure that the replacement can be completed. Thanks to the reminder from xiaolu, THX.

Yizhi

The data table master. dbo. spt_values has the following columns:

Name (nvarchar (35). null)

Number (int, not null)

Type (nchar (3), not Null)

Low (int, Null)

High (int, Null)

Status (int, Null)

Query statement:

Select type from dbo. spt_values where name = rpc;

Return Value:

Type

A

Query:

Select type from dbo. spt_values where name = rpc union select 111;

Return Value:

Server: Message 245, level 16, status 1, Row 1

A syntax error occurs when converting nvarchar value A to an int column.

Did you see it? This is "data type conversion error". I just saw this before making a mistake: (let's take a look at the select type from dbo in front of the union statement. spt_values where name = rpc because name = rpc exists, the returned type is nchar, and select 111 After union returns the data type as int, therefore, the preceding error occurs during union query.

What if the selet query record before union does not exist.

Query statement:

Select type from dbo. spt_values where name = rpcssdfsdfsdfds union select 111;

Alternatively, select type from dbo. spt_values where name = rpc and 1 = 2 union select 111;

In the above statement, name = rpcssdfsdfsdfds does not exist at all. Now there is no error and the result is displayed:

Type

111

The following is a test statement: select type, name from dbo. spt_values where name = rpc union select 111; (the query output fields before union are type and name)

Error:

Server: Message 205, level 16, status 1, Row 1

All queries in SQL statements containing the union operator must have the same number of expressions in the target list.

Haha ~~ You are familiar with this error. The fields before and after the union query are incorrect. We changed the statement:

Select type, name from dbo. spt_values where name = rpc union select 111,111; (make the first two query fields the same)

Result:

Type name

111 111

Same statement

Select * from dbo. spt_values where name = rpc union select 1, 1, 1, 1;

Because the spt_values table contains six fields, the query after union must have six fields.

In fact, this problem was mentioned when I wrote the union query in the mysql injection article. Here I just want to explain it again.

Summary:

For the statement select A union select B (A and B are queried from different data tables)

1. For union queries, fields in B must be the same as those in.

2. for union queries in mssq, if A is queried before, if data exists, the data of A is not output as in mysql, A syntax error occurs when "converting nvarchar value A to A column whose data type is int.

In fact, in the injection process, our goal is to obtain the returned result of statement B. to replace the output with the union query, we must ensure that the result obtained by Statement A is null. Whether it is mysql, both access and mssql are the same.

SELECT username FROM [User] where username = shelfl union select 1 from user

SELECT username FROM [User] where username = shell union select 1 from user

SELECT username FROM [User] where username = shell and 1 = 2 union select 1 from user

SELECT username FROM [User] where username = shell and 1 = 1 union select 1 from user