Entry
If you haven't tried SQL injection, then the first step will first put the IE menu => tool => Internet option => Advanced => Show friendly HTTP error message to go out. Otherwise, no matter what the server returns, IE is only displayed as an HTTP 500 server error, and more prompt information cannot be obtained.
Section 1, SQL injection principle
Here we start starting from a website www.19cn.com (Note: This article has been approved before the discipline of the station, most of which is real data).
On the homepage of the website, there are "IE can't open a new window" link, the address is: http://www.19cn.com/showdetail.asp? Id = 49, we add this address after this address Single number ', the server will return the following error tips:
Microsoft Jet Database Engine Error '80040e14'
String syntax errors in Query Expressions' ID = 49 ''.
/SHOWDETAIL.ASP, line 8
From this error prompt we can see the following:
1. The website is used by the Access database, connects the database via the JET engine, not through the ODBC.
2. The program does not determine whether the data submitted by the client meets the program requirements.
3. This SQL statement is inquired with a field of ID.
From the above example we can know that the principle of SQL injection is to submit a special code from the client, resulting in the collection of procedures and servers, giving the information you want to get.
In the second section, it is determined whether SQL injection can be performed.
After reading the first quarter, some people will feel: I am also often the test can be injected. Is this not very simple? In fact, this is not the best way, why?
First, it is not necessarily that the IIS of each server is returned to the client. If the program is added to the client, if the program is added, SQL injection is not successful, but the server will also report an error, the specific prompt information is Error on the server when processing the URL. Please contact the system administrator.
Second, some of the programmers who have a little understanding of SQL injection is considered to be safe, which is not a few, if you use single quotes, it is not possible to measure the injection point.
So, what kind of test method is more accurate? The answer is as follows: 1 http://www.19cn.com/showdetail.asp?id=49 2 http://www.19cn.com/showdetail.asp?id=49 and 1 = 1 3 http: // www. 19cn.com/showdetail.asp?id=49 and 1 = 2 This is the classic 1 = 1, 1 = 2 test method, how to judge? See the result of the three URLs back to: I can inject: 1 Normal display (this is inevitable, it is the program has an error) 2 Normal display, the content is basically the same 3 prompt BOF or EOF (program Did not do any judgment), or prompting the record (when RS.eof) is not found, or the display is empty (the program adds to an ORROR RESUME NEXT), it is easier to judge, 1 is also normal display, 2 and 3 Generally there will be an error message defined by the program, or the prompt type conversion error. Of course, this is just the incoming parameter is the judgment method used by the digital type. When actual application, there will be character types and search type parameters, I will analyze the "SQL Injecting General Steps" in the intermediate level. Section III, determine the function of the database type and the injection method, the injection method is different, so we must judge the type of database before injection. General ASP's most frequently matched databases are ACCESS and SQLSERVER, one of more than 99% of websites online. How to let the program tell you what database it uses? Take a look: SQLServer has some system variables, if the server IIS prompt is not closed, and SQL Server returns an error prompt, then you can get directly from the error information, the method is as follows: http://www.19cn.com/showdetail.asp?id = 49 and user> 0 This statement is simple, but it contains the essence of SQLServer's unique injection method. I also found this efficient susceptibility in a unintentional test. Let me see its meaning: First, the front statement is normal, focus on and user> 0, we know, User is a built-in variable of SQL Server, which is the user name currently connected, type NVARCHAR . Take a nVarchar value to the intra 0 comparison, the system will try to turn nvarchar's value to int type. Of course, the process will definitely errors in the process, and SQL Server error prompt is: convert the nVARCHAR value "ABC" conversion data type When INT's column, the syntax error occurs, huh, ABC is the value of the variable user, so that the power of the database is not scrapped. In the subsequent space, everyone will see a lot of statements with this method. By the way, it is well known that SQLServer's user sa is a role of equivominstrators permissions, got SA permissions, almost certainly gets the host's Administrator. The above method can be very convenient to test whether it is logged in with sa, if it is the SA login, the prompt is a column that converts "DBO" into an int to errors, not "SA".
