Asp.net SQL注入實例分享

1.web.config里加鏈接字段：

<configuration><connectionStrings ><add name="myConnectionString"connectionString="Server=10.231.248.177;Database=testdb;User ID=sa;Password=pa$$word;Trusted_Connection=False;"providerName="System.Data.SqlClient"/></connectionStrings>

2.拖幾個控件在form里：

<form id="form1" runat="server"><asp:Label ID="LU" runat="server" Text="User Name:"></asp:Label><asp:TextBox ID="TBU" runat="server"></asp:TextBox><br/><asp:Label ID="LP" runat="server" Text="Password:"></asp:Label><asp:TextBox ID="TBP" runat="server"></asp:TextBox><br/><asp:Button ID="Login" runat="server" Text="Login" OnClick="Login_Click" /><div>

3.寫登錄事件：

protected void Login_Click(object sender, EventArgs e){using(SqlConnection con = new SqlConnection(WebConfigurationManager.ConnectionStrings["myConnectionString"].ConnectionString)){con.Open();SqlCommand cmd = new SqlCommand();cmd.CommandText = "SELECT Count(1) FROM [User] where UserName='" + TBU.Text.Trim() + "' and Password='" + TBP.Text.Trim() + "'";cmd.CommandType = CommandType.Text;cmd.Connection = con;int count =(int) cmd.ExecuteScalar();Response.Write(cmd.CommandText);if (count > 0){Response.Write("<script>alert('Login pass!');</script>");}else{Response.Write("<script>alert('Login fail!');</script>");}}}

4.構造SQL注入登錄：

SQL注入。用戶名輸入：test' or ''='

密碼輸入：' or ''='

或者

web注入攻擊。用戶名輸入：test

密碼輸入：' or ''='

如圖：

屬性注入。

aspnet教程、

其他ASP.net SQL注入的例子，如果有興趣可以參考下：

net，http://www.aspsnippets.com/Articles/SQL-Injection-Attack-its-examples-and-Prevention-mechanisms-and-Techniques-in-ASPNet.aspx

http://www.codeproject.com/Articles/459324/Understading-SQL-Injection-and-Creating-SQL-Inject

http://blogs.iis.net/nazim/sql-injection-demo

net教程？其他的SQL注入：http://www.unixwiz.net/techtips/sql-injection.html