Shulou(Shulou.com)06/01 Report--

A recent test found SQL injection at a login that allows you to log in to the system without a password.

First, enter "111'" in the login area, and an error page appears as shown in the figure: Judge that there may be injection

Further test admin' or '1'='1 with universal user name, log in successfully without entering password.

Analyze this payload:

From the error message, it can be seen that the query statement is:

select * from xxxx where username=' ' and pwd=' '

When we enter payload, it becomes as follows:

select * from xxxx where username=' admin' or '1'='1' and pwd=' '

The result of this query statement is: username='admin' is true (the user name exists in the system),'1'='1' is true (it doesn't matter if it is true later), pwd='' is false.

true or true and false, because the priority of and is higher than or, the result of the operation of true and false is false, and then the result of the operation of true or false is true (or operation: return TRUE(true) when any logical value of all parameters is true), so the login is successful.

Then I used sqlmap to run it and found that admin must be added to succeed. If it is not added, it cannot run, as shown in the figure:

Feel like this, you need to know a correct user name, or there are certain limitations, I use other universal accounts are not good, such as 'or '1'='1--directly prompt user name password error,'or '1'='1'--error messages will appear.

There are also parameters that must have a value before injection can be performed. Presumably, it has something to do with page return.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.