Script Injection: determines the Database Type

Currently, the most common databases used by dynamic web pages on the Internet are Microsoft Access and Microsoft SQL Server. After determining the script used by a dynamic web page, you need to determine the database type. This is the most basic and important process in the script injection process.

 
 
 
 
There are two methods for cainiao:
 
 
 
1. Use the system variables of the database server for database judgment
 
 
 
 
A http://www.bkjia.com/index. asp? ID = 1 and user> 0
 
 
 
In the script system for filtering, this statement is directly judged as a normal statement and executed and fed back to the user. The script system uses the Microsoft SQL Server database; you can also check whether the user name of the database currently connected exists in "user.
 
 
 
 
Ii. Database judgment using system tables
 
 
 
 
 
 
A http://www.bkjia.com/index. asp? ID = 1 and (select count (*) from sysobjects)> 0
 
 
 
 
 
 
A http://www.bkjia.com/index. asp? ID = 1 and (select count (*) from msysobjects)> 0
 
 
 
Generally, the system table of Microsoft Access is msysobjects. By default, the user has no Access permission, while the system table of Microsoft SQL Server is sysobjects. By default, the user has Access permission.
 
If the database is Microsoft SQL Server and no parameter filtering is performed, the page displayed after the first statement is run is normal and the result of the second statement is abnormal; if the database is Microsoft Access, the pages obtained from the two links are abnormal.