Easily review login forms

In the process of script intrusion, I believe every friend has been faced with form login, especially the Administrator background login interface. So today I wrote out my previous experiences and methods in this regard and shared them with you.
TIPS: A form is a page element used to realize information interaction between a web browser and a server. It consists of Form Controls and general content. It generally consists of two parts: one part is the HTML source code used to describe the form (for example, the field, tag and the button that the user sees on the page ), another part is scripts or applications used to process submitted information (such as CGI scripts ). Form data cannot be collected without processing scripts. A form consists of text fields, check boxes, single quotes, menus, file address fields, buttons, and other form objects. All parts are contained in a form structure marked by identifiers. The types of forms include registry, message board, site navigation bar, and search engine.
In general, if you do not need to enter the verification code on the login interface. Intrusion can be divided into two categories. One is brute-force account cracking, which is the most primitive intrusion method, but the chances of success are not very high. Write a program, submit the form parameters in POST, and compare the returned page to see if it is correct. Of course, the account and password are cracked by means of dictionary mounting (for example, the basic principle of Xiao Xue in Xiao Rong). If the Administrator's account and password are not in the dictionary, the attack will never be cracked. Therefore, it is generally the case that there is no way to make this decision. Failure to succeed depends on luck. Intrusion is actually the best embodiment of strength and luck. How can we express our intrusion capabilities? Let's take a look at the second method below.
The second is intrusion through script vulnerabilities, which is a wonderful place. Let's analyze it first.
If the script has a vulnerability, it will be easier for us to intrude into the server. The login form is always closely related to the database. you can log on to the database with the account and password, and you can get the account and password through injection. This is also a method, but if we want to use it more flexibly, we don't need to be so troublesome. Let's take a look at the oldest method.
Start with single quotes. If the single quotes are not filtered, enter "'or' = '(excluding quotation marks and the same below)" in the account and password input boxes )", in most cases, you can access the background (who discovered this vulnerability? It's really classic, so it's very beneficial )! Why is it possible to enter "majority" when single quotes are not filtered? Is there a few other cases that cannot be accessed? Yes, this will also be the focus of our analysis today. Let's take a look at my analysis. GO ......
Use 'or' = 'to enter the background. The script code is written in this way. Check the Code:
......
Dim Usernaem, password, SQL
Username = request. Form ("username ")
Password = request. Form ("password ")
SQL = "select * from admin where username = '" & username & "' and password = '" & password &"'"
......
Directly put the form parameters in the database for query. If not EOF or BOF is returned, the login will be successful, and vice versa. Therefore, we enter "'or'' =' "in the account and password and place it in the database for query. We will always get only NOT (eof or bof ), that is, there will always be records (unless there are no records in the database, there may be one in one chance), of course, it will go smoothly into the background management. However, if the script is not written in this way, it will not succeed. I believe you have encountered such a situation, but it is clear that you have not filtered single quotes, but you cannot enter the background using "'or'' =. This is another programming idea of the script writers. Let's take a look at my analysis and the code first:
......
Dim Usernaem, password, SQL
Username = request. Form ("username ")
Password = request. Form ("password ")
SQL = "select password from admin where username = '" & username &"'"
Rs. Open SQL, conn, 1, 1
If ont (rs. eof or rs. bof) then
If rs ("password") = password then
...... Login successful
End if
End if
......
After reading the Code, should you understand the idea? The script writer first searches for the username submitted in the form in the database, finds the password in the database, and then compares it with the password submitted in the form, if the password entered in the form is the same as the password in the database, the login is successful.
In the face of this situation, we also have a solution. If the account parameter in the form parameter does not filter single quotes, we enter "'or'' =' "To find a record. The script will retrieve the password of the corresponding record and compare it with the password we entered. Now the key is that we don't know what the password is! "'Or'' =' "is always the first record of the database. We can change its order to obtain the record we want! See the following table:
---------------------- + -------------------,
Username password
---------------------- + ------------------
Test 1, 123456
Admin admin123
MS (mszr)
...... ......
The above is the record in the administrator table. The first record is obtained using 'or' =, if we enter "'or password = 'admin123' and '='" in the account, if the password is correct, the corresponding record is the second record, then, input admin123 in the password to go to the background. However, the premise for doing so is to know the password, which is also difficult for us, but this is also a way of thinking, for example, if the other party uses the MSSQL database, we will have the opportunity to get his password. Let's open the password to him. Enter "and password> 1 and'' = '"in the account. The password value is returned in IE by using the field value method. Now with the password, you can use the above method to enter. Let's change our thinking. We can get the account name and the password above. Now let's take his account and use the field-breaking method. Enter "'or password = 'admin123' and username> 1 and'' =' ", and the account is displayed in IE, so that the account can be obtained. With the account and password, we can enter the background in a proper name!
We analyzed the tips above. Now it's time for us to digest it. It's not a good way to learn to eat or digest it. Find a login portal on the Internet and find one. I enter single quotes in the user name and password.
When you see the above prompt, you should know that this is the error message returned without filtering single quotes, and further look at which parameter is not filtered. Now, I only enter single quotes in the account. If the password is not entered, the same result is returned. It proves that at least the account parameters in the form are not filtered. Let's see if the Password parameters in the form are filtered out. I will enter 1234 in the account now, and enter a single quotation mark in the password. The error message indicating that the user name does not exist is returned.
Verify that the password field is filtered. Otherwise, it is not stored in the database for query.
TIPS: Generally, the account is not filtered, And the password is not filtered. In many cases, the password of the corresponding account is retrieved from the database and then compared.

Let's use the second method. Let's get a password first. What is the password field? You can guess 80%. First, let's look at the source code of the web form, and then try "password" in the password box, and enter "'and password> 1 and'' =' "in the account '", the prompt "password" is not a valid field name. It does not seem like this. Try "userpassword" and enter "'and userpassword> 1 and'' =, the password is: "fuckusa (haha, very patriotic! I will never get rid of it. After testing, I will pop up and write an EM message to the Administrator, reminding me to pay attention to security.) "Let's get an account now, in the Account Box, enter "'or userpassword = 'fuckusa' and username> 1 and'' = '"and the account is displayed. This proves that the field name is correct. The account is "admin". Now let's log in with the account password! OK. The Management page is displayed.