These days idle boring, want to surf the internet down a few movies to see, looking for is to be money, bad, spend time to go to the remittance is better to find a loophole black. So, the plan begins:
(in order to avoid unnecessary misunderstanding, URL, user name, password made some changes, but the method is 100% authentic)
1. Find the Entrance
Prepare: If you have not tried SQL injection attacks before, then you should close the HTTP friendly prompts so that you can see the message returned by the server side clearly.
Try a few pages that have incoming parameters. Test whether there is a SQL injection vulnerability, the identification method is: The URL bar id=***x add a ' number, or in the form input ' number, if the prompt expression error, indicating a vulnerability can be injected, in addition, in this way can get the application of the database type.
After testing, found that a few pages have injected holes, decided to start from http://www.movie.com/movie.asp?ID=1000, input http://www.movie.com/movie.asp?ID= 1000 ', Get information: Database with access, hint articleid=1000 ' near the expression error, hey, originally is a use of article system to change out of the film station.
2. Observe the website environment
The functions of the website include: Film Classification, film introduction, film search, the ID of the film is about 1000-1500.
3. Guess the name of the table
After you find out about the enemy, start acting, and the first step is to start with guessing the table name, http://www.movie.com/movie.asp?ID=1000, and Change 1000 to (select COUNT (1) from user), His original SQL statement would become:
Select [Field List] from [movie table] where movie id= (select COUNT (1) from user)
If you guessed the table name, the following three scenarios might occur:
A. Displaying information on a film (coincidental)
B. show that the movie cannot be found (if there is a decision whether it is EOF)
C. Hint error message (EOF OR BOF)
If you are wrong, you will be prompted to find the table name directly.
Put User,users,member,members,userlist,memberlist,userinfo,admin,manager, the user, Yonghu these commonly used table name one by one put in the test, the general success rate is not less than 80%
As a result, the user name table named users of the site was successfully guessed
4. Guess the name of the column
As for guessing column names, no, I'm not going to introduce you. You should make it clear what to do, change (select COUNT (1) from users) to (select COUNT (ID) from users), and if you are not prompted to "field not found" means that the field name is correct, and the field is generally not laborious, You can probably guess some of the names of the forms when you login.
Sure enough, this site is no exception, the user table in the field ID (number), UserID (text), Password (text), integration fields guess more laborious, for money
5. Lock target
Let the users table return only one record with the most money in order to guess and avoid guessing some money-less user names:
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.