protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
int SSN = Convert.ToInt32(Request.QueryString["id"]);
SqlCommand cmd =new SqlCommand("SELECT * FROM teachers WHERE id = @uid");
SqlParameter param = new SqlParameter("uid", SqlDbType.Int);
param.Value = SSN;
cmd.Parameters.Add(param);
DataBase db = new DataBase(); SqlDataAdapter sda = new SqlDataAdapter();
sda.SelectCommand = cmd;
DataTable dt = new DataTable();
dt = db.getDT(cmd);
。。各种label
}
}
{
if (!IsPostBack)
{
int SSN = Convert.ToInt32(Request.QueryString["id"]);
SqlCommand cmd =new SqlCommand("SELECT * FROM teachers WHERE id = @uid");
SqlParameter param = new SqlParameter("uid", SqlDbType.Int);
param.Value = SSN;
cmd.Parameters.Add(param);
DataBase db = new DataBase(); SqlDataAdapter sda = new SqlDataAdapter();
sda.SelectCommand = cmd;
DataTable dt = new DataTable();
dt = db.getDT(cmd);
。。各种label
}
}
给楼主提2点意见:
1sql 尽量在底层dal 层去处理,而不是写在ui 后端
2sql不要用拼接 全部用参数化 ,防止注入,能用过程处理 尽量避免sql,方便维护。
希望采纳!
另外不知道你的GetDT是干嘛的,看你已经SqlDataAdpater了
那么直接sda.Fill(dt);就可以了
{ Open();
DataSet ds=new DataSet ();
SqlDataAdapter da =new SqlDataAdapter (); try
{cmd.Connection = conn;
da.SelectCommand = cmd;
da.Fill(ds, "dt");
Close();
return ds.Tables["dt"];}
catch(Exception ex)
{
return null;
Close();}
}
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
int SSN = Convert.ToInt32(Request.QueryString["id"]);
if ( SSN < 50)
{
SqlCommand cmd = new SqlCommand("SELECT * FROM teachers WHERE id = @uid");
SqlParameter param = new SqlParameter("uid", SqlDbType.Int);
param.Value = SSN;
cmd.Parameters.Add(param); DataBase db = new DataBase(); //SqlDataAdapter sda = new SqlDataAdapter();
//sda.SelectCommand = cmd;
DataTable dt = new DataTable();
dt = db.getDT(cmd);
Label1.Text = dt.Rows[0]["tname"].ToString().Trim();
Label2.Text = dt.Rows[0]["zhich"].ToString().Trim();
Label3.Text = dt.Rows[0]["classes"].ToString().Trim();
Label4.Text = " " + dt.Rows[0]["huojiang"].ToString().Trim();
Label5.Text = dt.Rows[0]["contents"].ToString().Trim();
Image1.ImageUrl = "admin/upload/" + dt.Rows[0]["pic"].ToString().Trim();
this.Title = Label2.Text.Trim() + "--" + Label1.Text.Trim() + "详细内容";
Label6.Text = "教师:" + Label1.Text.Trim() + "信息";
}
}
}
你来看下呢,我感觉他这个例子已经没sql注入了
命令行输入:python sqlmap.py --wizard
输入链接地址;
[1] Normal (default)
[2] Medium
[3] Hard
> 1
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Smart
[3] All
> 1sqlmap is running, please wait..
然后就是主楼黑屏的内容,崩溃。
命令行输入:python sqlmap.py --wizard
输入链接地址;
[1] Normal (default)
[2] Medium
[3] Hard
> 1
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Smart
[3] All
> 1sqlmap is running, please wait..
然后就是主楼黑屏的内容,崩溃。
粗看上面的代码,你说的是 这条语句:SELECT * FROM teachers WHERE id = @uid会被sql注入吗?
命令行输入:python sqlmap.py --wizard
输入链接地址;
[1] Normal (default)
[2] Medium
[3] Hard
> 1
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Smart
[3] All
> 1sqlmap is running, please wait..
然后就是主楼黑屏的内容,崩溃。
粗看上面的代码,你说的是 这条语句:SELECT * FROM teachers WHERE id = @uid会被sql注入吗?应该是,这还是我修改过的,最开始的代码是: protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
SqlCommand cmd = new SqlCommand();
DataBase db = new DataBase();
string cmdstr = "";
if (Request.QueryString["id"] != null)
{
cmdstr = "select * from teachers where id=" + Request .QueryString ["id"].Trim ();
cmd.CommandText = cmdstr;
DataTable dt= new DataTable ();
dt= db.getDT(cmd);
Label1 .Text =dt.Rows[0]["tname"].ToString ().Trim ();
Label2 .Text =dt.Rows[0]["zhich"].ToString ().Trim ();
Label3 .Text =dt.Rows[0]["classes"].ToString ().Trim ();
Label4 .Text =" "+dt.Rows[0]["huojiang"].ToString ().Trim ();
Label5 .Text =dt.Rows[0]["contents"].ToString ().Trim ();
Image1 .ImageUrl ="admin/upload/"+dt.Rows[0]["pic"].ToString ().Trim ();
this.Title = Label2.Text.Trim() + "--" + Label1.Text.Trim() + "详细内容";
Label6 .Text ="教师:"+Label1.Text.Trim()+"信息";
}
}
}
cmdstr = "select * from teachers where id=" + Request .QueryString ["id"].Trim ();
这句100%会被注入
SELECT * FROM teachers WHERE id = @uid
这句不可能被注入
你拿一个改过之后不可能被注入的代码来问为啥上一句被注入的代码问题……
aspx生成后是dll,你要替换dll,不是替换aspx
你替换aspx.cs文件,测试时检查的还是原来的代码……
你把你改后的代码生成下,然后将bin目录下的dll复制到服务器同名的bin目录下,话说不能sqlmap不能测试本机么?你本机VS调试下,然后你的sqlmap直接测你本地不行吗?
抱歉实在初学不太懂,但是上一个管理员交给我以后好像说没编译就是源文件,刚刚看了服务器上都是asp文件,没有dll
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS operating system: Windows 7 Service Pack 1
back-end DBMS: Microsoft SQL Server 2005
banner:
---
Microsoft SQL Server 2005 - 9.00.5000.00 (X64)
Dec 10 2010 10:38:40
Copyright (c) 1988-2005 Microsoft Corporation
Developer Edition (64-bit) on Windows NT 6.1 (Build 7601: Service Pack 1
)
---
current user: 'xxxxx'
current database: 'xxxxxxxx'
current user is DBA: True
另外,我的参数化代码不知道写得对不对
sqlmap is running, please wait..[21:12:18] [ERROR] possible integer casting detected (e.g. "$id=intval($_REQUEST['id'])") at the back-end web application
do you want to skip those kind of cases (and save scanning time)? [y/N] N
[21:12:24] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')另外这个网站没有发布,直接在服务器上放的源代码。替换源代码之后网站测试还是有注入。
另外,我的参数化代码不知道写得对不对
抱歉,没注意看清楚,那你这个是ASP程序?注入的 是查询代码吗?
我把服务器上该页面的内容都删了,只留了一个空文件detail.aspx.cs,结果测试sql注入依然能显示我的数据库名称和管理员名字等,我真是震惊了
另外,我的参数化代码不知道写得对不对
抱歉,没注意看清楚,那你这个是ASP程序?注入的 是查询代码吗?
asp的网站,没有发布直接用的源代码;诸如测试链接.......detail.aspx?id=10
不知真假。
只是听说未曾见过。
我把服务器上该页面的内容都删了,只留了一个空文件detail.aspx.cs,结果测试sql注入依然能显示我的数据库名称和管理员名字等,我真是震惊了在执行语句的地方,把语句打出来,被只测试,看到打出来执行的语句是什么?不可能是参数化的语句
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
int SSN = Convert.ToInt32(Request.QueryString["id"]);
if ( SSN < 50)
{
SqlCommand cmd = new SqlCommand("SELECT * FROM teachers WHERE id = @uid");
SqlParameter param = new SqlParameter("uid", SqlDbType.Int);
param.Value = SSN;
cmd.Parameters.Add(param); DataBase db = new DataBase(); //SqlDataAdapter sda = new SqlDataAdapter();
//sda.SelectCommand = cmd;
DataTable dt = new DataTable();
dt = db.getDT(cmd);
Label1.Text = dt.Rows[0]["tname"].ToString().Trim();
Label2.Text = dt.Rows[0]["zhich"].ToString().Trim();
Label3.Text = dt.Rows[0]["classes"].ToString().Trim();
Label4.Text = " " + dt.Rows[0]["huojiang"].ToString().Trim();
Label5.Text = dt.Rows[0]["contents"].ToString().Trim();
Image1.ImageUrl = "admin/upload/" + dt.Rows[0]["pic"].ToString().Trim();
this.Title = Label2.Text.Trim() + "--" + Label1.Text.Trim() + "详细内容";
Label6.Text = "教师:" + Label1.Text.Trim() + "信息";
}
}
}
我把服务器上该页面的内容都删了,只留了一个空文件detail.aspx.cs,结果测试sql注入依然能显示我的数据库名称和管理员名字等,我真是震惊了在执行语句的地方,把语句打出来,被只测试,看到打出来执行的语句是什么?不可能是参数化的语句
不好意思,不太懂,实在sqlmap里面操作吗/?不太懂?
无论什么东西,拼接前,替换掉单引号。Replace("'","''")
这是我改过的代码,您看一下写的对吗?
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
int SSN = Convert.ToInt32(Request.QueryString["id"]);
if ( SSN < 50)
{
SqlCommand cmd = new SqlCommand("SELECT * FROM teachers WHERE id = @uid");
SqlParameter param = new SqlParameter("uid", SqlDbType.Int);
param.Value = SSN;
cmd.Parameters.Add(param); DataBase db = new DataBase();
DataTable dt = new DataTable();
dt = db.getDT(cmd);
Label1.Text = dt.Rows[0]["tname"].ToString().Trim();
Label2.Text = dt.Rows[0]["zhich"].ToString().Trim();
Label3.Text = dt.Rows[0]["classes"].ToString().Trim();
Label4.Text = " " + dt.Rows[0]["huojiang"].ToString().Trim();
Label5.Text = dt.Rows[0]["contents"].ToString().Trim();
Image1.ImageUrl = "admin/upload/" + dt.Rows[0]["pic"].ToString().Trim();
this.Title = Label2.Text.Trim() + "--" + Label1.Text.Trim() + "详细内容";
Label6.Text = "教师:" + Label1.Text.Trim() + "信息";
}
}
}
[17:19:43] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)