1, add single quotation mark ' Commit, Result: If an error message appears, the site may have an injection vulnerability. 2, the digital type to determine whether there is injection; Statements: and 1=1; and 1=2 (classic), ' and ' 1 ' =1 (character type) results: Separate pages are returned, indicating an injection vulnerability. Analysis: and means "and" if we don't filter our statements, and 1=1 will be replaced
SQLQuery statement to query, if and before and after the two statements are true, there will be no error, but if there is a false front and back statements, the program will be critical error. It also indicates that the program has an injection vulnerability anti-injection solution: 1> use or 2>1; Or 1>2 to judge result: To return different pages, indicating that there is an injection vulnerability . analysis: or injection only requires two statements before and after a correct is true, if the front and back two statements are correct, but false. Remember: When an OR is injected, the statement after or is returned to the error page if it is correct! If it is an error, the correct page is returned, indicating that there is an injection point. 2> using XOR 1=1; XOR 1=2 Results: Different pages are returned, which indicates an injection vulnerability . analysis: XOR stands for XOR, meaning that the connected expression is only true when one is true. Remember: When XOR is injected, the statement that follows the XOR returns the error page area if it is correct, and, if it is an error, returns the correct page, indicating that there is an injection point. 3> convert and 1=1 to URL encoded form after committing and 1=1 URL encoding:%41%4e%44%20%%31%3d%31 4> use -1;-0 Analysis: If the returned page is different from the previous one, it is another news, it indicates that there is an injection vulnerability, is a digital injection vulnerability; After the URL address, add -0,url to news.asp?id=123-0, the returned page is the same as the previous page, plus-1, return the error page, It also indicates an injection vulnerability.   3, character type determine if there is an injected: statement: ' and ' 1 ' =1; ' and ' 1=2 (Classic) results: Separate pages are returned, indicating an injection vulnerability . analysis: Join ' and ' 1 ' = 1 Returns the correct page, adding ' and ' 1=2 returns the error page, indicating there is an injection leak. anti-injection Solution: Add '%2b ' (character type) parse: URL address to: news.asp?id=123 '%2b ', return page and 1, plus ' 2%2b ' asdf, The URL address changes to: news.asp?id=123 '%2BASDF, the returned page is different from 1, or if the record is not found, or the error, it means there is an injection point, is text-based. whether the search type determinesThere is an injection: simple to determine the existence of a search injection vulnerability is the first search ', if there is an error, the 90% existence of this vulnerability. Then search%, if normal return, the description 95% has a hole. Description: Adding special characters such as "&", "[", "]", "%", "$", "@" and so on, can be implemented, if there is an error, it indicates a problem. Operations: Search for a keyword, such as 2006, normal return all 2006 related information, and then search 2006% ' and 1=1 and '% ' = ' and 2006% ' and 1=2 and '% ' = ', there are similarities and differences, that is, 100% have a hole. The keyword% ' and 1=1 and '% ' = '% ' keyword% ' and 1=2 and '% ' = '% will change and 1=1 into injected statement can be judge
database Type: and user>0 For example: showdetail.asp?id=49, and user>0 if it is an Access database, the error returned is typically "Microsoft JET database" Key, if it is the MSSQL database, the error message returned usually contains "SQL Server" key . guess the table name and exists (SELECT * from table name) Description: The meaning is the same as above, just use the name of the language is not the same. guess the column name and (select COUNT (column name) from table name) >0 Description: If we enter a column name to guess correctly, no back to normal page guess length and (select top 1 len ( username) from Admin >0 Description: If the last data we entered returns an error, and the previous digit of the error is returned correctly, I guess the length of the solution is correct. Guess content and (select top 1 ASC (username,1,1) from admin) >50 ASCII code 1-128 Description: If the last data we entered returns an error, and the first digit of the error is returned correctly, indicating that the number I have guessed is correct. (Can use binary method to guess content) binary method: The minimum value and the maximum difference of half, such as input 50 is correct, input 100 return error, binary after input 75. Two kinds of common explosion 1,%5c 2, conn.asp %5c Bauku The middle of the two-level directory/switch to%5c ey:otherweb ... s.asp? Bigclassname= Scope of Responsibility &bigclasstype=1 if you can see: ' E:\ahttc040901 \otherweb\dz\database\ixuer_studio.asa ' is not a valid path. Determine if the path name is spelled correctly and is connected to the server where the file resides. This is the database. Use FlashGet in the. mdb format when downloading. conn.asp Bauku This is also the older loophole, the use of small value common: ' or ' = ' or ' Universal password login ' or ' = ' or ' This is aA language that can connect to SQL. Can be directly into the background. I collected a bit. Similar also to: ' or ' ' = ' or ' a ' = ' a ' or ' (' a ' = ' a ') or ("a" = "a" or "a" = "a" or 1=1--' or ' a ' = ' a very old use method, mainly used for some older sites. Union Query Injection (union query) procedure: 1> Add and 1=2 Union SELECT * Form in the normal statement background. The name of the table, where the * number represents the number of fields, from 11 straight append (and 1=2 Union select 1,2,3,4 form. Table name) If the number of fields is correct, there will be a mistake 2> the actual field name is substituted in the place where the page is displayed, such as:username,password. 3> the actual database field value at the page field value. find back-office address, find the background with the user administrator's account and password to login . suggest that we first manual detection, master the basic injection method, to improve their basic knowledge of injection.
Go: Beginner, Manual injection test method subsection (Source:: 51Testing software Test network--jie)
