码迷,mamicode.com
首页 > 数据库 > 详细

Asp.net SQL注入实例分享

时间:2015-10-10 15:36:10      阅读:187      评论:0      收藏:0      [点我收藏+]

标签:

??

Asp.net SQL注入实例分享


1.web.config里加链接字段:

<configuration>
  <connectionStrings >
    <add name="myConnectionString"
         connectionString="Server=10.231.248.177;Database=testdb;User ID=sa;Password=pa$$word;Trusted_Connection=False;"
         providerName="System.Data.SqlClient"/>
  </connectionStrings>


2.拖几个控件在form里:

<form id="form1" runat="server">
        <asp:Label ID="LU" runat="server" Text="User Name:"></asp:Label>
        <asp:TextBox ID="TBU" runat="server"></asp:TextBox>
        <br/>
        <asp:Label ID="LP" runat="server" Text="Password:"></asp:Label>
        <asp:TextBox ID="TBP" runat="server"></asp:TextBox>
        <br/>
        <asp:Button ID="Login" runat="server" Text="Login" OnClick="Login_Click" />
    <div>


3.写登录事件:

protected void Login_Click(object sender, EventArgs e)
    {
        using(SqlConnection con = new SqlConnection(WebConfigurationManager.ConnectionStrings["myConnectionString"].ConnectionString))
        {
            con.Open();
            SqlCommand cmd = new SqlCommand();
            cmd.CommandText = "SELECT Count(1) FROM [User] where UserName=‘" + TBU.Text.Trim() + "‘ and Password=‘" + TBP.Text.Trim() + "‘";
            cmd.CommandType = CommandType.Text;
            cmd.Connection = con;
            int count =(int) cmd.ExecuteScalar();
            Response.Write(cmd.CommandText);
            if (count > 0)
            {
                Response.Write("<script>alert(‘Login pass!‘);</script>");
            }
            else
            {
                Response.Write("<script>alert(‘Login fail!‘);</script>");
            }

        }
    }


4.构造SQL注入登录:

用户名输入:test‘ or ‘‘=‘

密码输入:‘ or ‘‘=‘

如图:

技术分享


技术分享



其他ASP.net SQL注入的例子,如果有兴趣可以参考下:

http://www.aspsnippets.com/Articles/SQL-Injection-Attack-its-examples-and-Prevention-mechanisms-and-Techniques-in-ASPNet.aspx

http://www.codeproject.com/Articles/459324/Understading-SQL-Injection-and-Creating-SQL-Inject

http://blogs.iis.net/nazim/sql-injection-demo

其他的SQL注入:http://www.unixwiz.net/techtips/sql-injection.html

版权声明:本文为博主原创文章,未经博主允许不得转载。

Asp.net SQL注入实例分享

标签:

原文地址:http://blog.csdn.net/yangzhenping/article/details/49023751

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!