Differences between numeric, numeric, and search types in Injection

Author: magic spring

Blog: http://hi.baidu.com/woshihuanquan/

In database injection, some people often say that the injection point is of the numeric type. The injection point is of the numeric type. What is the digital type and what is the numeric type? In fact, all types are generated based on the type of the database table. When we create a table, we will find that there is always a data type restriction after it, different databases have different data types. For exampleMssqlThere are many data types of their own. However, no matter how frequently used data types are queried, they are always distinguished by numbers and characters. Therefore, what types of injection points are generated.

InSQLIn a query statement, there are three types of syntaxes for data types: numeric, numeric, and search. Syntax:

Number Type:SELECTColumnFROMTableWHERENumeric Column=Value

Character Type:SELECTColumnFROMTableWHEREBalanced Columns='Value'

Search type:SELECT * FROMTableWHERE whereColumn to be searchedLike'%Value%'

In the syntax, we can see that the differences between types are very small. Although there are slight differences, the query statements are different.

OpenSQL. aspThe vulnerability file is displayed.SQL = "select * from admin where id =" & idSuch a query statement is a typical numeric injection. Then we can useAnd 1 = 1AndAnd 1 = 2Determine whether a vulnerability exists.

ModifySQL. aspThe Code is as follows:

<! -- # Include FILE = "conn. asp" -->

<%

Id = request ("id ")

Set rs = server. CreateObject ("adodb. recordset ")

SQL = "select * from admin where id =" & id &""

Response. write "SQLStatement is: "& SQL

Rs. open SQL, conn, 1, 3

If rs. eof or rs. bof then

Response. write "<br>No record"

Else

Response. write "<br>The returned information is:"& Rs (" username ")

End if

Rs. close

Set rs = nothing

Set conn = nothing

%>

Modified hereSQL. aspThe query statement in is statement type. Let's try again.And 1 = 1AndAnd 1 = 2An error message is returned.

We will find that the information we entered in the query statement is enclosed in single quotes, resulting in a whole string. Therefore, the query statement will query a1 and 1 = 1And1 and 1 = 2"Id, ThisIdOf course it will not exist, leading to errors. Therefore, we need to match single quotation marks for injection of the character type to generate"And 1 = 1AndAnd 1 = 2This is a judgment statement for closed injection. If we enter such a judgment statement, we will find the same response as the number injection.

Search injection is often named in search queries. Continue to modifySQL. aspThe following code is used:

<! -- # Include FILE = "conn. asp" -->

<%

Id = request ("id ")

Set rs = server. CreateObject ("adodb. recordset ")

SQL = "select * from admin where id like %" & id & "%"

Response. write "SQLStatement is: "& SQL

Rs. open SQL, conn, 1, 3

If rs. eof or rs. bof then

Response. write "<br>No record"

Else

Response. write "<br>The returned information is:"& Rs (" username ")