We will give an example, known in the form of the username field, first of all, we take the first record, test length:
http://www.19cn.com/showdetail.asp?id=49 and (SELECT TOP 1 LEN (UserName) from admin> 0
First: If the UserName length of TOP 1 is greater than 0, the conditions are set; then> 1,> 2,> 3 this test, until the condition is not established, such as> 7 is established,> 8 is not established, that is, Len (username = 8
Of course, no one will be stupid from 0, 1, 2, 3 one test, how to look at each play. After obtaining the length of the username, the nth character is intercepted with MID (username, n, 1), and then ASC (MID (UserName, N, 1)) Gets the ASCII code, such as:
ID = 49 and (SELECT TOP 1 ASC (MID (username, 1, 1)) from admin)> 0
It is also the ASCII code of the first character using the step-by-step range, pay attention to the English and digital ASCII code between 1-128, can be used to speed up the guess, if the program test is written, the efficiency will have extreme Large improvement.
In the second section, SQL injection common functions
People with SQL language bases, the success rate is much higher than those who are not familiar during SQL injection. We must improve our SQL level, especially some common functions and orders.
Access: ASC (Character) SQLServer: Unicode (Character)
Role: Return to a character's ASCII code
Access: chr (Digital) SQLServer: nchar (number)
Role: In contrast to ASC, return characters according to ASCII code
Access: MID (String, N, L) SQLServer: Substring (String, N, L)
Role: Returns the string from the N-character starting a sub-string of the length L, ie the string between N to N L
Access: ABC (Digital) SQLServer: ABC (Digital)
Role: Return to the absolute value of the number (it will be used when guess the Chinese characters)
Access: a Between B and C SQLServer: a betWeen B and C
Role: Judgment a bound between B and C
Section III, Chinese processing method
In the injection of the Chinese characters are common things, some people want to fight back in the Chinese characters. In fact, as long as you know Chinese coding, "Chinese phobia" can quickly overcome.
Let's talk about a little common sense:
In Access, the Chinese ASCII code may have a negative number. After removing the negative, the absolute value is taken with ABS (), the Chinese characters are unchanged.
In SQL Server, Chinese ASCII is positive, but since it is a two-bit encoding of Unicode, the ASCII code cannot be obtained using a function ascii (), and the function unicode () must be used to return the corresponding Chinese character with the nchar function.
After understanding the two points above, if you think Chinese guess is actually almost the same as English? In addition to the function of use, it is important to pay attention to the specification, the method is nothing wrong.
(Source: 9cbs)
