Transfer from http://blog.sina.com.cn/s/blog_6b347b2a0101379o.html
The principle of cookie injection is the same as normal injection, except that we submit the parameters of the cookie has been submitted, and the general injection we use GET or post to submit, get the way to submit is directly after the URL to add the need to inject the statement, post is through the form , the difference between get and post is that we can see the arguments we submitted through the IE address bar, while the other one can't.
In the case of post and get injection, the cookie injection is a bit more cumbersome, and to make a cookie injection, we first have to change the cookie, and here we need to use the JavaScript language. In addition, there are two necessary conditions for the formation of cookie injections,
Condition 1: The program filters the data submitted by the Get and post methods, but does not filter the database submitted by the cookie.
Condition 2: On the basis of condition 1, it is also necessary for the program to submit data acquisition method is direct request ("XXX") way, does not indicate the use of the request object to obtain the specific method.
1, first open http://www.st3yy.com/experts_info.asp?id=128, and so on after the page completely opened, we will empty the IE address bar
2, in the blank address bar, fill in, the following content
Javascript:alert (document.cookie= "id=" +escape ("128"));
( " id=" here is"id=" in "http://www.st3yy.com/experts_info.asp?id=128", "Escape" ("128") "128"in "http://www.st3yy.com/experts_info.asp?id=128" in the "id=218", these two should be specific according to the data obtained to decide.
3, took the second step, open another window, try to access the http://www.st3yy.com/experts_info.asp? (both "id=128" is removed), and then see if it will be accessible normally.
4, from can see, with previously visible access after the page with access to http://www.st3yy.com/experts_info.asp? The id=128 effect is the same.
as you can see from here, the program does not specify what method to use to obtain the data using the request object, but instead uses the request ("XX") directly.
An important factor in the formation of cookies is now clear.
5, the third step, test whether the transfer of special characters to see whether the program to filter the data. Let's go back to the page where we just changed the cookie, and then fill in the IE Address bar
Javascript:alert (document.cookie= "id=" +escape ("and 1=1");
6, see if the page is normal, if normal we re-submit
Javascript:alert (document.cookie= "id=" +escape ("and 1=2");
7. The next work is the same as get post injection.
Cookie SQL injection