Today, I will go to the Black Defense Station to see the article, maybe for the "career" habit, see that the stuff like ClassID = 1 is not from the autonomous to add any parameters.
In the page
http://www.hacker.com.cn/Article/index.asp?classid=3&nclassid=13 plus 1and 1 = 1 and 2and 1 = 2, all prompts "Processing the URL error. Please and system administrator "Contact", it seems that I have already filtered illegal submission, IIS also closed the error message, plus a 3 single quotes', but also out of the same error prompt, but obviously different two error prompts, because the former display The LOGO of the hacker defense talent is incorrect, and the latter is a blank error message.
This is the special situation I have never encountered, can I inject?
Change an angle, how to write this program from the programmer's idea. First, if it is a function of Cint, the three test methods error prompt should be exactly the same; if it is not filtered, the results of 12 should be different. It has been used in several cases. Finally, it is very likely that some statement filtering. This situation is likely to be the CINT statement. In the back of the SQL statement, after the SQL statement passes, the following statement is wrong.
Although it is still not very determined how the actual program is written, it can be determined, this is indeed an injection point!
According to the "SQL injection vulnerability full contact", the next step is to determine the database type, because the error prompt is blocked, only through the system table test, enter:
http://www.hacker.com.cn/Article/index.asp?classid=1 and (Select Count (1) from sysobjects> = 0
Tip error, did not appear logo, explanation is wrong, it is very likely that the SYSObjects do not exist, that is, the database is Access, and take an Access's system table (MSYSObjects can't behave at this time, Because there is no permission reading under the Web, the SQL statement can not pass, so it is necessary to change the permissions such as MSYSACCESSOBJECTS. Sure enough, there is a black-defense logo, confirming the database is indeed Access.
The next suspension is relatively simple, with (count (1) from admin)> = 0 Test the admin table existence, there is username, password field in the table. I thought that I used the most common ASCII decoding method to guess the record, small case, I didn't expect, I found out that this is the hardest bone: Traditional ASCII contrast, whether the condition is established, statement It is possible to perform correctly. It is an error in an error rather than the error of the SQL statement. In this page, no matter whether you are not established, it is displayed a logo and then reports the error, according to the unable to make judgments.
I thought half an hour, I finally came up with a way, let SQL statements have conditional error, first look at the statement:
http://www.hacker.com.cn/Article/index.asp?classid=1 and
(SELECT TOP 1 IIF (ASC (MID (UserName, 1, 1))> 96, 1, username) from admin)> 0
When writing this statement, even myself worships myself, haha, don't vomit, explain, ASC (MID (Username, 1, 1)) This is understandable, take UserName first ASCII code, If it is greater than 96, SELECT has a number 1, if it is equal to 96, select output string username, then take the value and 0 of SELECT. 1 and 0 are digital models. When the ASCII code is greater than 96, the SQL statement will not be wrong; UserName is a character pattern, and when the ASCII code is less than or equal to 96, the SQL statement will be wrong. Therefore, the error indication of the two cases is different. We can determine whether the statement is established according to the error prompt, so that the range of each character is gradually narrowed to obtain the value of UserName.
Thus, according to the method described above, the value of UserName is: CHR (98) CHR (114) CHR (105) CHR (103) CHR (104) CHR (116) = Bright, Password A value of CHR (109) CHR (105) CHR (110) CHR (103) CHR (116) CHR (105) CHR (97) CHR (110) = Mingtian, decoding is completed.
