Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > hacker course > Content
Hot Articles
SmoothWall Introduces Lo
Travel of the JSP+Oracle
Hacker skill: Gains Webs
Breaks through the Inter
MYSQL database injection
The Tomcat backstage tak
Breaks through the Inter
The hacker teaches you a
WinHex pursues the code
How does the hacker dest
How teaches you to take
The SQL injection revise
mssql SA jurisdiction ne
Microsoft SQL Server SA
The bored Css cross stat
Recommend Articles
The SQL injection revise
How does the hacker dest
The new military recruit
Union inquires the small
MYSQL database injection
Invades under new skill
How does the website scr
Smells searches works as
How in does the net seep
Microsoft SQL Server SA
A simple invasion, does
The mainstream raises th
The bored Css cross stat
The random combined comm
The hacker teaches you a
New Articles
Check Point offers compa
The malware spreads Cali
Full Disk Encryption pro
Cardholders should take
U.S. still more spam tha
Strong encryption L?solu
ConvexSoft DJ Audio Mixe
Few companies k?can be i
IT professionals can kee
k the media?can not by s
k the media?can not by s
Google Custom Search Eng
Users of the iPhone and
Gateshead College offers
Manchester obtained pass
The hacker teaches you anything is the SQL injection method attack
  Add date: 07/16/2008   Publishing date: 07/16/2008   Hits: 13
Total 10 pages, Current page:1, Jump to page:
 
This article is to on-line massive similar article analysis and the summary, and unifies itself to implement in the process the experience synthesis to become, including many directly quotes, has not paid attention to the source, please original author excuse me)

Along with the B/S pattern application development's development, uses the programmer who this kind of pattern compiles the application procedure to be also getting more and more. But because programmer's level and the experience are also irregular, quite big part of programmers in compilation code time, has not carried on the judgment to the user data-in's validity, causes the application procedure existence safe hidden danger. The user may submit a section of database inquiry code, the root “
According to the procedure returns's result, obtains the data which certain he wants to know, this is so-called SQL Injection, namely SQL pours into.
SQL pours into is from the normal WWW port visit, moreover the surface looks like with general Web page visit not any difference, therefore the present market condition's firewall will not pour into to SQL sounds the warning, if the manager had not examined that the IIS diary the custom, is possibly invaded the very long time not to detect. But, SQL pours into the technique is quite flexible, in pours into time will bump into many accident's situations. Can act according to the special details to carry on the analysis, constructs the ingenious SQL sentence, thus success gain wish data.
Statistics indicated that the website accounts for above 70% with ASP+Access or SQLServer, PHP+MySQ accounts for L20%, other insufficiencies 10%. In this article, by the SQL-SERVER+ASP example explained SQL pours into principle, method and process. (PHP pours into article relevant paper which composes by NB alliance another friend zwell)
SQL pours into the attack the overall mentality is:
l discovered that SQL pours into the position;
l judgment backstage database type;
l determines XP_CMDSHELL to be possible the operational practice
l discovers the WEB hypothesized catalog
l uploads the ASP wooden horse;
l obtains the manager jurisdiction;
First, SQL pours into crack's judgment
Generally speaking, SQL pours into exists generally in the shape for example: HTTP://xxx.xxx.xxx/abc.asp? id=XX and so on has in the parameter ASP dynamic homepage, sometimes in a dynamic homepage possible only then a parameter, sometimes possibly some N parameters, sometimes are the trueing parameters, sometimes is the string of character parameter, cannot be generally spoken. In brief so long as has the parameter dynamic homepage, and this homepage visited the database, then has the possibility to have SQL to pour into. If the ASP programmer does not have the safety consciousness, does not carry on the essential character filtration, has the possibility which SQL pours into to be big.
For the thorough understanding dynamic homepage reply's information, the first choice requests transfer the entire IE disposition. Error message checks off IE menu pneumatic tool - Internet in front of the option - high-level - demonstration friendly HTTP.

 
Other pages: : 1 * 2 * 3 * 4 * 5 * 6 * 7 * 8 * 9 * 10 * Next>>
Prev:The random combined command achieves exempts kills Next:The SQL weak password 1433 catch the chicken to meet the question

Comment:

Category: Home > hacker course
Home