Asp aspx injection exercise code

ASP:

 
<%
Dim Db, MyDbPath
Dim conn
You can modify the following settings: ================================ define the database category, 1 is the SQL database, 0 is the Access database ================================
Const IsSqlDataBase = 0
MyDbPath = ""
========================================================== ========================
If IsSqlDataBase = 1 Then
Required change settings 2: ======================================= sqldatabase settings ==================== ========================================================== ========
Sqldatabase connection parameters: Database Name (SqlDatabaseName), user password (SqlPassword), user name (SqlUsername ),
Connection name (SqlLocalName) (local IP Address used locally)
Const SqlDatabaseName = "dvbbs"
Const SqlPassword = ""
Const SqlUsername = "sa"
Const SqlLocalName = "localhost"
========================================================== ======================================
Else
Required change settings 3: ====================================== Access Database settings ================ ========================================================== =====
For free users, modify the address of the local database and change the name of the database in the data directory for the first time. For example, change dvbbs6.mdb to dvbbs6.asp.
Db = "z. mdb"
========================================================== ======================================
End If
 
Dim ConnStr
If IsSqlDataBase = 1 Then
ConnStr = "Provider = Sqloledb; User ID =" & SqlUsername & "; Password =" & SqlPassword & "; Initial Catalog =" & SqlDatabaseName &"; data Source = "& SqlLocalName &";"
Else
ConnStr = "Provider = Microsoft. Jet. OLEDB.4.0; Data Source =" & Server. MapPath (MyDbPath & db)
End If
Set conn = Server. CreateObject ("ADODB. Connection ")
Conn. open ConnStr
 
Bytes -----------------------------------------------------------------------------------------------------
 
%>
 
 
<%
Lg_id = Request ("id ")
If Request ("id") = "" Then
Lg_id = 1
Set rs = conn. Execute ("Select * From dv_help Where h_id =" & lg_id)
Else
// Submit the variable
Set rs = conn. Execute ("Select * From dv_help Where h_id =" & lg_id)
End If
%>
<Div align = "center">
<P> </p>
<P> SQL Injection </p>
<P> Replace the table name with the database name. </P>
<P> the submission parameter is a. asp? Id = 1 </p>
<P> the default id is 1 </p>
</Div>
<Div align = "center">
<Table width = "754" height = "259" border = "1">
<Tr>
<Td width = "744" bgcolor = "# CCCCCC"> <% = rs ("h_content") %> </td>
</Tr>
</Table>
</Div>
========================================================== ==========================================================
ASPX:
 
<% @ Page language = "c #" validateRequest = false %>
<! Doctype html public "-// W3C // dtd html 4.0 Transitional // EN">
<HTML>
<HEAD>
<Script language = "C #" runat = "server">
 
 
Private System. Data. IDbConnection m_Connection = null;
Private System. Data. IDbCommand m_Command = null;
Private string h_id = null;
Private string strSql = null;
 
Private void Page_Load (object sender, System. EventArgs e)
{
 
This. Lb_title.Text = "SQL Injection exercise ";
This. Lb_title.Text + = "Please rename the access database file of the dynamic network forum to 'z. mdb 'and place it in the same directory of this file ";
This. Lb_title.Text + = "and then set the directory to the web shared directory. ";
 
 
This. h_id = Request. Params ["id"];
If (this. h_id = null | this. h_id.Equals (""))
{
This. h_id = "3 ";
}
This. strSql = "Select * From dv_help Where h_id =" + this. h_id + "";
This. SqlinCode ();
}
Private System. Data. OleDb. OleDbConnection GetConn ()
{
// Return the database link
If (this. m_Connection! = Null)
{
Return (System. Data. OleDb. OleDbConnection) this. m_Connection;
}
Return new System. Data. OleDb. OleDbConnection ("Provider = Microsoft. Jet. OLEDB.4.0; Data Source =" + Server. MapPath ("z. mdb") + "");
}
Private bool OpenConn ()
{
// Open the database connection
If (this. m_Connection = null)
{
Return false;
}
This. m_Connection.Open ();
Return true;
}
Private bool CloseConn ()
{
// Close the connection
If (this. m_Connection = null)
{
Return false;
}
This. m_Connection.Close ();
Return true;
}
Private void SqlinCode ()
{
// SQL injection vulnerability method.
This. m_Connection = GetConn ();
This. m_Command = new System. Data. OleDb. OleDbCommand ();
This. m_Command.Connection = this. m_Connection;
This. m_Command.CommandText = this. strSql;
This. OpenConn ();
System. Data. OleDb. OleDbDataReader dataReader = (System. Data. OleDb. OleDbDataReader) this. m_Command.ExecuteReader ();
If (dataReader. Read ())
{
This. Lb_show.Text = dataReader. GetValue (3). ToString ();
}
DataReader. Close ();
This. CloseConn ();
}
 
# Code generated by region Web Form Designer
Override protected void OnInit (EventArgs e)
{
//
// CODEGEN: This call is required by the ASP. NET Web form designer.
//
InitializeComponent ();
Base. OnInit (e );
}
 
/// <Summary>
/// The designer supports the required methods-do not use the code editor to modify
/// Content of this method.
/// </Summary>
Private void InitializeComponent ()
{
This. Load + = new System. EventHandler (this. Page_Load );
 
}
# Endregion
</Script>
<Title> sqlin </title>
<Meta name = "GENERATOR" Content = "Microsoft Visual Studio. NET 7.1">
<Meta name = "CODE_LANGUAGE" Content = "C #">
<Meta name = "vs_defaultClientScript" content = "JavaScript">
<Meta name = "vs_targetSchema" content = "http://schemas.microsoft.com/intellisense/ie5">
</HEAD>
<Body MS_POSITIONING = "GridLayout">
<Form id = "Form1" method = "post" runat = "server">
<FONT face = "">
<Asp: Label id = "Lb_show" style = "Z-INDEX: 101; LEFT: 64px; POSITION: absolute; TOP: 120px" runat = "server"
Width = "536px" Height = "344px"> </asp: Label>
<Asp: Label id = "Lb_title" style = "Z-INDEX: 102; LEFT: 64px; POSITION: absolute; TOP: 16px" runat = "server"
Width = "248px" Height = "72px"> The following shows the database content: </asp: Label> </FONT>
</Form>
</Body>
</HTML>