Breakthrough space limitations-vulnerability warning-the black bar safety net

ID MYHACK58:62200715609
Type myhack58
Reporter 佚名
Modified 2007-05-27T00:00:00


About spaces, there are many alternatives, such as TAB spaces, SQL database/**/, but I found another alternative, has been published in the hacker manual 2006.7 period, here pick its essence, now!

For the SQL statement, we also are accustomed to its spaces, such as select id from [name], if no intervening spaces, that became selectidfrom[name], a beach confused now! In addition to the above mentioned to the several spaces of the alternative methods, I found that with()the parentheses in the SQL can be run, such as the above statement, it can be written as select(id)from[name], the brackets are separated, can be executed properly. For example the way, we get an injection: jmdcw. asp? name=aa'and 1=1 and"=', if you replace one of the 1=1 is the query the Administrator's password in the statement: (select asc(mid(pass,1,1)) from [name] where id=1)>4 to 9. How to use the space? In fact, can be written as this: jmdcw. asp? name=aa'and((select(asc(mid(pass,1,1)))from[name]where(id=1))>4 9)and"=' If the shield of the<and>symbols, then use the between...and..., the statement is: jmdcw. asp? name=aa'and((select(asc(mid(pass,1,1)))from[name]where(id=1))between(4 0)and(5 0))and"='

For the intermediate there should be a space where, With()to be replaced, however, for very complex SQL statements is not good. The above mentioned is the character type, if it is numeric, you can in the id=1 followed by a parentheses, but this I did not test, such as:jmdcw. asp? id=(1)and(select.....), the Should be feasible, right?

Oh, summarize, and LOVESHELL friends on share.