ASP原来登陆时候的那个安全漏洞?

是什么?
---------------------------------------------------------------

你是说登录时用户名和密码都写 '' or ''
---------------------------------------------------------------

admin'or'1'='1
---------------------------------------------------------------

where 字段'or'1'='1
---------------------------------------------------------------

这个主要是由于sql查询语句造成的:
select * from admin where username='"&username&"' and password='"&password&"'"
输入了
admin'or'1'='1
就变成了:
select * from admin where username='"&admin'or'1'=1&" and password='"&password&"'"
就获得了权限,呵呵!
---------------------------------------------------------------

把"'"替换成2个"'",即"''"

Published At
Categories with Web编程
comments powered by Disqus