DB
(MSSQL) INJECTION SEARCH QUERY
kjun.kr
2017. 4. 13. 21:59
728x90
declare @T varchar(255), @C varchar(255);
declare Table_Cursor CURSOR FOR
SELECT a.name,b.name
FROM sysobjects a,syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 or
b.xtype = 35 or
b.xtype = 231 or
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T,@C;
WHILE (@@FETCH_STATUS = 0)BEGIN
exec('select['+@C+'] from ['+@t+'] where ['+@C+'] like ''%<script%''');
-- print 'select['+@C+'] from ['+@t+'] where ['+@C+'] like ''%<script%</script>'''
FETCH NEXT FROM Table_Cursor INTO @T, @c;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;
declare Table_Cursor CURSOR FOR
SELECT a.name,b.name
FROM sysobjects a,syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 or
b.xtype = 35 or
b.xtype = 231 or
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T,@C;
WHILE (@@FETCH_STATUS = 0)BEGIN
exec('select['+@C+'] from ['+@t+'] where ['+@C+'] like ''%<script%''');
-- print 'select['+@C+'] from ['+@t+'] where ['+@C+'] like ''%<script%</script>'''
FETCH NEXT FROM Table_Cursor INTO @T, @c;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;
728x90