<configuration><connectionStrings ><add name="myConnectionString"connectionString="Server=10.231.248.177;Database=testdb;User ID=sa;Password=pa$$word;Trusted_Connection=False;"providerName="System.Data.SqlClient"/></connectionStrings>
<form id="form1" runat="server"><asp:Label ID="LU" runat="server" Text="User Name:"></asp:Label><asp:TextBox ID="TBU" runat="server"></asp:TextBox><br/><asp:Label ID="LP" runat="server" Text="Password:"></asp:Label><asp:TextBox ID="TBP" runat="server"></asp:TextBox><br/><asp:Button ID="Login" runat="server" Text="Login" OnClick="Login_Click" /><div>
protected void Login_Click(object sender, EventArgs e){using(SqlConnection con = new SqlConnection(WebConfigurationManager.ConnectionStrings["myConnectionString"].ConnectionString)){con.Open();SqlCommand cmd = new SqlCommand();cmd.CommandText = "SELECT Count(1) FROM [User] where UserName='" + TBU.Text.Trim() + "' and Password='" + TBP.Text.Trim() + "'";cmd.CommandType = CommandType.Text;cmd.Connection = con;int count =(int) cmd.ExecuteScalar();Response.Write(cmd.CommandText);if (count > 0){Response.Write("<script>alert('Login pass!');</script>");}else{Response.Write("<script>alert('Login fail!');</script>");}}}
SQL注入。用戶名輸入:test' or ''='
密碼輸入:' or ''='
或者
web注入攻擊。用戶名輸入:test
密碼輸入:' or ''='
如圖:
屬性注入。
aspnet教程、
其他ASP.net SQL注入的例子,如果有興趣可以參考下:
net,http://www.aspsnippets.com/Articles/SQL-Injection-Attack-its-examples-and-Prevention-mechanisms-and-Techniques-in-ASPNet.aspx
http://www.codeproject.com/Articles/459324/Understading-SQL-Injection-and-Creating-SQL-Inject
http://blogs.iis.net/nazim/sql-injection-demo
net教程?其他的SQL注入:http://www.unixwiz.net/techtips/sql-injection.html
版权声明:本站所有资料均为网友推荐收集整理而来,仅供学习和研究交流使用。
工作时间:8:00-18:00
客服电话
电子邮件
admin@qq.com
扫码二维码
获取最新动态