Search injection successfully handles Multinational Electronic companies

Text/FIG

As we all know, the injection methods mainly include numeric and numeric, but new users often ignore the search type, because the search type should input content in the search text box when determining whether a vulnerability exists, it is cumbersome to judge based on the returned page content. Although nbsi2has this injection method, when opening the page, the parameters generally do not contain search parameters. What should I do? My solution is to manually modify it and then use nbsi2.

First, let's talk about the prerequisites. If you only want to retrieve the NAME records, and the names of these records must start with a letter W, you need to use the following where clause:
Select name from Admin where name like 'W %'
If you want to retrieve the name containing the letter W, you need to use the following where clause:
Select name from Admin where name like '% w %'
If you want to retrieve a three-character name, with the first letter W and the third letter F, you need to use the following where clause:
Select name from Admin where name like 'W _ f' (WTF is also in it, hey)

TIPS:The percent sign (%) is similar to the wildcard "*" in DOS and represents multiple characters. The underscore (_) is similar to the wildcard "?" in DOS. Represents any character.

You may often see whether it is a full match or a partial match when searching. If it is a full match, the statement is as follows:

Select name from Admin where name like '$ keyword'

The keyword variable indicates the content to be entered in the query box. For partial match:

Select name from Admin where name like '% $ keyword %'

If the keyword variable is not filtered, we can construct the following statement:

1. Exact match: If we enter "WTF" and' 1' =' 1 "becomes the following statement:
Select name from Admin where name like 'wtf' and' 1' =' 1'
If we enter "WTF" and' 1' =' 2 "is changed to the following statement:
Select name from Admin where name like 'wtf' and' 1' =' 2'

2. partial match: If we enter WTF % 'and 1 = 1 and' % '=', it becomes the following statement:
Select name from Admin where name like '% WTF %' and 1 = 1 and '%' = '%'
If we enter WTF % 'and 1 = 2 and' % '=', it becomes the following statement:
Select name from Admin where name like '% WTF %' and 1 = 2 and '%' = '%'
You can determine whether the injection vulnerability exists based on whether the returned page content is the same.

Well, the basic things have been introduced. Let's take a look at how to use it! The goal of this article is a famous Korean multinational electronics company, although its program is ASP.. net, but ignore the variable filtering in the query box. You can see the difference between figure 1 and figure 2.

{
Img_auto_size (this, 450, true );
} "Align =" baseline ">
Figure 1

{
Img_auto_size (this, 450, true );
} "Align =" baseline ">

Figure 2
If no content is entered in the query text box, the query parameter SC is null, so that nbsi2. As shown in figure 1 and figure 2, we can see the injection vulnerability, so that we can construct the injection address:
Http: // notebook. *** .com.cn/news/news.aspx? Page = 1 & type = *** & St = title & SC = Technology

Signature input: 2004 shown in figure 1, and Figure 3 shows the injection analysis result of nbsi2.

{
Img_auto_size (this, 450, true );
} "Align =" baseline ">

Figure 3

I quickly guessed the username and password in the background. The password is in plain text and contains special characters. The image upload function is available on the background ...... Don't play anymore. There's nothing to talk about in the future.