Extracted from bloodsword
During injection, in the access and mysql environments, we usually obtain data through union. However, in the mssql environment, union often does not work. If the page does not report an error and openrowset is unavailable, it is often only violent. How can we use this brutal means? After research, the union selection in mssql mainly has the following restrictions.
The first one is that the union of varchar/nvarchar and int fields will force conversion errors. Here we can go to the article about superhei Daniel N long ago and use and 1 = 2 to leave the result set before union empty.
The second is that when the fields selected by the current statement are in the text, ntext, or image format, the DISTINCT method cannot be used for selection, and the union statement must be selected in the DISTINCT method. This is also why many injection points of the search type can be guessed by union, because the statement of the search point rarely selects the fields in the first three formats. The Image is in binary format and will not appear in the SQL statement that requires echo. Some time ago, we also saw that Niuke provided a solution. The union was followed by an all, that is, union all. It's amazing. Cow is cow.
The last restriction is that the union of text/ntext and int fields is not compatible, and an error indicating an operation type conflict is reported, even if 1 = 2 is used, the result of the preceding union statement is set to null. A few days ago, we suddenly thought that we often use, 3 ...... And so on. At this time, all the subsequent statements are int fields. Of course, an error will occur when the text or ntext fields are in front. If quotation marks are added, that is, 1', 2', 3 '...... ? At this time, the following fields are of the char or varchar type, so there should be no errors. What if quotation marks are filtered out at the injection point? Because mssql does not support the hexadecimal format very well, in many places, the hexadecimal format must be declare-set, so use char, that is, and 1 = 2 union all select char (49), char (50 )...... .
The local test is successful:
700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
In this way, there will be another option when mssql does not report an error. Of course, the above test results only theoretically may encounter various problems during actual injection. Because the points that can be used in union certainly do not report errors, so I had to guess where the problem was. ^_^