Tilte: One-time Universal password login Test--2012-12-10 16:44
Where a universal password is logged in, SQL injection is generally generated. Unfiltered "'" and other characters, the submitted construction statement entered the SQL statement to query.
A few days ago accidentally tested an Internet management system, Jsp+oracle+*nux.
Commit "'", the burst SQL statement is probably as follows:
Select *,* from admin where name= ' and pwd= '
In the User name box fuss, enter "admin" Or 1=1--", the Password box is entered randomly. Login successful.
Inform the developer that the developer has modified the feedback and tested it again.
The User name box was found to be processed, but the password box was not processed.
The same username entered "admin", the Password box entered "' or 1=1--" but the login was unsuccessful. After testing found that "=" does not seem to work, then the user name Input "admin", Password box input "' or 2>1--", the test successfully entered. All know that the "OR condition" is for the expression constant to true. Then try such things as morphing "or 2>1--", "or 1<2--" and so on. The idea is not limited to or 1=1, of course, you can also choose to inject to get information.
One-time Universal password Login test notes