front MySQL I talked a lot , But I forgot to say Mysql database Some characteristics of , So I'm talking about MSSQL Inject front , I put Mysql database Let's talk about some details in .

Mysql

With phpstudy Integrated MySQL Come on , Its database exists phpstudy/PHPTutorial/MySQL/data in

You can directly see that we have four databases ：mysql、performance_schema、security、test. So we're in MySQL Command line terminal show databases have a look .

You can see one more Library information_schema, That is, this library allows attackers to have a more convenient and unified way to check the database and table after finding the closure payload,information_schema Inventory lies in MySQL5.1+, And in version 5 This library didn't exist before .

The original intention of designing this library is for administrators to query and modify the library more conveniently . But there's no way , Once convenient for administrators , If the administrator falls , It is convenient for attackers .

If you need to get the information in the database , There are several key tables in this library that need to be learned together ,

SCHEMATA surface ： Provides the current mysql Information of all databases in the instance . yes show databases Is the result of this table .

TABLES surface ： Provides information about tables in the database （ Include views ）. It describes in detail which table belongs to schema, Table type , Watch engine , Creation time and other information . yes show tables from schemaname Is the result of this table .

COLUMNS surface ： Provides column information in the table . Specifies all the columns of a table and the information for each column . yes show columns from schemaname.tablename Is the result of this table .

besides , We also need to know some column names in the table

There is a table_schema, This thing is the database name , So we can do some research on this library where The limit is reached. You want to query the tables in the Library .

This watch is a little ugly , Just read what I wrote .

We can see it up here columns There is a column name in the table  table_name, This thing means the name of the data table , That is, we can finally query the data in the table by limiting the table name .

It's almost MySQL Inject the most conventional knowledge points , Here's a simple one Check the library 、 Look up the table 、 List 、 Check field Of payload.

 Check the library ：-1' union select 1,2,group_concat(schema_name) from information_schema.schemata--+

 Look up the table ：-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = 'security'--+

 List ：-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name = 'users'--+

 Check field ：-1' union select 1,group_concat(id),group_concat(concat_ws('~',username,password)) from users--+

over, Next, let's talk about today's focus ,MSSQL Inject .

MSSQL

Usually SQL Inject Our study is mainly aimed at MySQL database , Here's a wake-up call , If MySQL database If you are not familiar with the injection of, it is recommended to brush more sqli-labs To consolidate MySQL, Otherwise, if you learn everything, it's easy to be unfamiliar, messy and easy to forget .

MSSQL Also known as SQL server database , And MySQL The similarity is still very high , Because of and MySQL Very similar , There are some MySQL I won't elaborate on what I have said .

Pre knowledge

And MySQL identical ,MSSQL Similar to MySQL in information_schema The default existence of the library can be easily queried , Although it is not a library .

MSSQL There are three default tables in each database sysdatabases、sysobjects、syscolumns

sysdatabases ： The table is saved in master In the database , All the database names are saved in this table , And Library ID, And some related information .

sysobjects：    SQL-SERVER This system table exists in every database of , It stores all the objects created in the database , Such as restraint 、 The default value is 、 journal 、 The rules 、 Stored procedure, etc , Each object occupies a row in the table .

syscolumns： The table is located in each database , It contains all the column names in this library .

Knowing the meaning of three tables, we can use this to query any data we want , But in addition to the database table, the other two of the three tables store some constraint 、 The default value is 、 journal wait , These storage will affect our query of sensitive data , At this time, we need to find a column to classify which are some restricted storage , What are some data stores .

  You can see sysdatabases The only content in the database table is the database

sysobjects A pile of watches , There is everything , So I found a classification standard , That's one of them xtype

You can see ,U type It's the user table , So we use this restriction to query

success , You can see all four data sheets . Finally, there is only one question left , That is how to find the key list we want to find . because syscolumns Not only the columns in the data table are stored in , And views , Many of these also greatly affect our query of data , So we still need to use a column to distinguish them .

After my inquiry and study, I learned ,sysobjects Medium id Column and syscolumns Medium id Column Foreign key link , What do you mean ？ in other words syscolumns There is one in the column of id Means corresponding to sysobjects Medium id, And our watch is from sysobjects Zhongdelai , What's interesting is that we can pass on sysobjects Medium id get syscolumns Column data for , Finally, it's easy to check the fields .

select * from syscolumns where id=(select id from sysobjects where name='users')

Or you can check directly id Plug in

select * from syscolumns where id=885578193

Only this and nothing more ,MSSQL Exists by default in library 、 surface 、 Column That's all , Next, I want to put us in SQL Inject Some common functions that need to be used in .

MSSQL.

MMSQL The features of are almost the same , Let's talk about a few more topics later

Reference resources ：SQL Injected Mssql Inject _ Yuanyuan's blog -CSDN Blog _mssql Inject

know SQLSERVER Medium syscolumns surface - Programming house

SQL Server The system tables sysobjects Detailed introduction and use _ Feitian Haiyu's blog -CSDN Blog _sysobjects

SQL Database system tables sysobjects What's in it ??_ Baidu knows

Study mssql from 0 To 1 - You know