1, open the address, we can see is a normal page.
2., and then add-1 after the address, to: http://site/news.asp?id=123-1, if the returned page is different from the front, is another normal page, it indicates an injection vulnerability, and is a digital injection vulnerability
3, if the address after adding-0, to become http://site/news.asp?id=123-0, the returned page is the same as the previous page, and then add-1, return error page, it also indicates that there is an injection vulnerability, and is a digital type.
4, if the address after adding '%2b ', to: http://site/news.asp?id=123′%2b ', the return page is the same as before; Plus ' 2%2b ' SB, the address becomes: http://site/news.asp?id=123′% 2BSB, returning to another normal page, or not discovering the record, or error, indicates an injection vulnerability and is text-based.
Cause Analysis:
If the SQL statement is executed like this (number): SELECT * FROM news where id=2881064151
When you add 1 to the back, the statement changes to select * from news where id=123-1
But the SQL Server executes this statement with an operation of 123-1, which is 122, and then executes the following: SELECT * from news where id=122
So the choice is another page record. If the page exists, it is another page; otherwise, the record does not exist or an error occurs. This also means that the program does not filter the input data, there is a numeric injection vulnerability.
If the SQL statement is executed like this (character): SELECT * from news where id= ' 123′
After adding '%2b ', the statement becomes: SELECT * from news where id= ' 123′+ ' (%2b is the URL encoding of +)
The SQL Server actually performs the following: SELECT * from news where id= ' 123′ returns the same page.
After adding '%2b ' SB, the statement becomes: SELECT * from news where id= ' 123′+ ' sb ' (same reason, SQL executes ' 123′+ ' SB ' first)
The actual execution of SQL is: SELECT * from news where id= ' 123SB ', the return page does not exist, or is wrong, indicates a textual injection vulnerability.
When the SQL Server executes this statement, it first performs an operation and then executes the