The other day when browsing a site when, for a moment, hands itching, in the URL behind a“ and 1=2”is intended to take a look at this system there is no SQL injection vulnerability, which know that the browser POPs up two dialog boxes and then unlimited pop-up window. Had to finish off the process, depressed, I use the TT browser, the other window also to the end, 5 5 5 5 to to to Really outrageous, injection you also don't like this whole me, I'd like to see you this program has what the ability is. In the end did not dare to go try that system, it is from the other place to start to get a webshell, after Inquire, originally it was called“Conan picture management system”stuff. Know a sign that's good do., online Down a look at the source code first. It is the view. asp has this:
Now look at the check. htm content:
Look at its evil intentions right, pop up two dialog boxes will open 1 0 0 million every window, Oh, cool not? Of course can't get to him in vain to bully Ah, I have to break it of SQL injection Defense, Oh, careful analysis of the original his defense is just useless, we need only transform the look of the character will be done. See his judgment statement, is to use the instr function to determine, if found and, or, select等关键字就转到check.htm the. Well, look at the instr function usage: InStr([start, ]string1, string2[, compare]) There are 2 optional parameters start and compare, the problem is precisely out in the compare here. The Compare to 0 perform a binary comparison 1 perform the text comparison. The default is 0. In short, compare is 0 when the comparison is case-sensitive. IE instr(“ and 1=2”,”And”)is equal to 0. That now better organized, just put it the filter a keyword of one letter changed to uppercase, and then he was so long the filter statement is equal to only filter“’”, it does not matter Ah, anyway, the injection with less than“’”to.
His table name is admin, the user field is admin, the Password field of the password, slowly hand guess, Oh, it seems no tools can be used, now know that the programming still useful. Of course, you can also use Union queries to directly obtain the administrator password, this than guess the solution much faster, or write a program?, faster 1 to.
Copy URL to access it, eh, no, first you have to put the key word switch, in particular, to note that the password contains“or”admin included“in”Table say I didn't warn you.
Oh, again: Enjoy Hacking it! Oh, and finally said If you want to defense then simply put the parameter compare is set to 1 is ok.