Experimental content:
Get the background management password for web applications with SQL Injection
Purpose:
Familiar with the principle of Injection, master the relevant tools, master the impact of the Injection attack
Experimental steps:
1. Understand the construction of the web application environment, this target program is "Dusty Yajitang Graphic System Boiling 3AS Modified V0.40"
2. Master the injection technique for the ordinary ASP forum / message book, learn how to judge the other party's injection point
3. Adjust your browser, guess the test target, password through the GET method
process:
Find the injection point, what kind of injection method belongs is
The table name of the burst, the field name [here is skipped from the online download program, slightly]
Gets the number of IDs and minimum records of the other party
Get minimum user name length
Get minimum username letter combination
Find the same length, content
Find the management background entrance, log in with a guess account
4, use tools such as WIS, NBSI to suspect, more manual and procedures diverse
WIS: Little bunge, ordered the command line mode
Web: Little bunge, ordered the command line mode
NBSI: Little bamboo software, the latest version 2.0, GUI interface
5. Browse IIS logs, summarize the experience and prevention method
