萝卜青菜

——追求技术，期待成功。有版权问题请见谅，找碴儿的人滚蛋。

用户操作

[留言] [发消息] [加为好友]

订阅我的博客

[编辑]luoboqingcai的公告

这些都是萝卜青菜在日常工作中所收集的东西，自己留用。真心感谢阿好，http://blog.csdn.net/HBZXF <table border="1" bordercolor="#000000" bgcolor="#6699ff" cellpadding="5" cellspacing="0"> <tr> <td> <script language=javascript> document.write ("<marquee scrollamount='1' scrolldelay='30' direction= 'UP' width='155' id='helpor_net' height='150' onmouseover='helpor_net.stop()' onmouseout='helpor_net.start()' Author:redriver; For more,visit:www.helpor.net>") document.write ("<h2><p align='center'><font color='#ffffff' face='黑体'>偶然</font></h2>") document.write ("<p align='right'><a href='#' target='_blank'><font color='#ffffff'>徐志摩</font></a> ") document.write ("<p><font color='#ffffff'> ") document.write ("<br>我是天空里的一片云，") document.write ("<br>偶尔投影在你的波心—— ") document.write ("<br>你不必讶异, ") document.write ("<br>更无须欢喜—— ") document.write ("<br>在转瞬间消灭了踪影。") document.write ("<br>") document.write ("<br>你我相逢在黑暗的海上，") document.write ("<br>你有你的，我有我的，方向；") document.write ("<br>你记得也好， ") document.write ("<br>最好你忘掉， ") document.write ("<br>在这交会时互放的光亮！ ") document.write ("</font>") document.write ("</marquee> ") </script> </td> </tr> </table> <DIV align=center> <OBJECT style="WIDTH: 84px; HEIGHT: 84px" codeBase=http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0 height=84 width=84 classid=clsid:D27CDB6E-AE6D-11cf-96B8-444553540000><PARAM NAME="_cx" VALUE="2223"><PARAM NAME="_cy" VALUE="2223"><PARAM NAME="FlashVars" VALUE=""><PARAM NAME="Movie" VALUE="http://blogcup.com/cup/time.swf"><PARAM NAME="Src" VALUE="http://blogcup.com/cup/time.swf"><PARAM NAME="WMode" VALUE="Transparent"><PARAM NAME="Play" VALUE="0"><PARAM NAME="Loop" VALUE="-1"><PARAM NAME="Quality" VALUE="High"><PARAM NAME="SAlign" VALUE=""><PARAM NAME="Menu" VALUE="-1"><PARAM NAME="Base" VALUE=""><PARAM NAME="AllowScriptAccess" VALUE="always"><PARAM NAME="Scale" VALUE="ShowAll"><PARAM NAME="DeviceFont" VALUE="0"><PARAM NAME="EmbedMovie" VALUE="0"><PARAM NAME="BGColor" VALUE=""><PARAM NAME="SWRemote" VALUE=""><PARAM NAME="MovieData" VALUE=""><PARAM NAME="SeamlessTabbing" VALUE="1"> <embed src="http://blogcup.com/cup/time.swf" wmode="transparent" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="32" height="32"></embed> </OBJECT></DIV> <br> <IFRAME border=0 align=center marginWidth=0 marginHeight=0 src='http://appnews.qq.com/cgi-bin/news_qq_search?city=' frameBorder=0 width=157 scrolling=no height=240 allowTransparency></IFRAME> <br> <Script LANGUAGE="JavaScript"> var months = new Array("一", "二", "三","四", "五", "六", "七", "八", "九","十", "十一", "十二"); var daysInMonth = new Array(31, 28, 31, 30, 31, 30, 31, 31,30, 31, 30, 31); var days = new Array("日","一", "二", "三","四", "五", "六"); var classTemp; var today=new getToday(); var year=today.year; var month=today.month; var newCal; function getDays(month, year) { if (1 == month) return ((0 == year % 4) && (0 != (year % 100))) ||(0 == year % 400) ? 29 : 28; else return daysInMonth[month]; } function getToday() { this.now = new Date(); this.year = this.now.getFullYear(); this.month = this.now.getMonth(); this.day = this.now.getDate(); } function Calendar() { newCal = new Date(year,month,1); today = new getToday(); var day = -1; var startDay = newCal.getDay(); var endDay=getDays(newCal.getMonth(), newCal.getFullYear()); var daily = 0; if ((today.year == newCal.getFullYear()) &&(today.month == newCal.getMonth())) { day = today.day; } var caltable = document.all.caltable.tBodies.calendar; var intDaysInMonth =getDays(newCal.getMonth(), newCal.getFullYear()); for (var intWeek = 0; intWeek < caltable.rows.length;intWeek++) for (var intDay = 0;intDay < caltable.rows[intWeek].cells.length;intDay++) { var cell = caltable.rows[intWeek].cells[intDay]; var montemp=(newCal.getMonth()+1)<10?("0"+(newCal.getMonth()+1)):(newCal.getMonth()+1); if ((intDay == startDay) && (0 == daily)){ daily = 1;} var daytemp=daily<10?("0"+daily):(daily); var d="<"+newCal.getFullYear()+"-"+montemp+"-"+daytemp+">"; if(day==daily) cell.className="DayNow"; else if(intDay==6) cell.className = "DaySat"; else if (intDay==0) cell.className ="DaySun"; else cell.className="Day"; if ((daily > 0) && (daily <= intDaysInMonth)) { cell.innerText = daily; daily++; } else { cell.className="CalendarTD"; cell.innerText = ""; } } document.all.year.value=year; document.all.month.value=month+1; } function subMonth() { if ((month-1)<0) { month=11; year=year-1; } else { month=month-1; } Calendar(); } function addMonth() { if((month+1)>11) { month=0; year=year+1; } else { month=month+1; } Calendar(); } function setDate() { if (document.all.month.value<1||document.all.month.value>12) { alert("月的有效范围在1-12之间!"); return; } year=Math.ceil(document.all.year.value); month=Math.ceil(document.all.month.value-1); Calendar(); } </Script> <Script> function buttonOver() { var obj = window.event.srcElement; obj.runtimeStyle.cssText = "background-color:#FFFFFF"; // obj.className="Hover"; } function buttonOut() { var obj = window.event.srcElement; window.setTimeout(function(){obj.runtimeStyle.cssText = "";},300); } </Script> <Style> Input {font-family: verdana;font-size: 9pt;text-decoration: none;background-color: #FFFFFF;height: 20px;border: 1px solid #666666;color:#000000;} .Calendar {font-family: verdana;text-decoration: none;width: 170;background-color: #C0D0E8;font-size: 9pt;border:0px dotted #1C6FA5;} .CalendarTD {font-family: verdana;font-size: 7pt;color: #000000;background-color:#f6f6f6;height: 20px;width:11%;text-align: center;} .Title {font-family: verdana;font-size: 11pt;font-weight: normal;height: 24px;text-align: center;color: #333333;text-decoration: none;background-color: #A4B9D7;border-top-width: 1px;border-right-width: 1px;border-bottom-width: 1px;border-left-width: 1px;border-bottom-style:1px;border-top-color: #999999;border-right-color: #999999;border-bottom-color: #999999;border-left-color: #999999;} .Day {font-family: verdana;font-size: 7pt;color:#243F65;background-color: #E5E9F2;height: 20px;width:11%;text-align: center;} .DaySat {font-family: verdana;font-size: 7pt;color:#FF0000;text-decoration: none;background-color:#E5E9F2;text-align: center;height: 18px;width: 12%;} .DaySun {font-family: verdana;font-size: 7pt;color: #FF0000;text-decoration: none;background-color:#E5E9F2;text-align: center;height: 18px;width: 12%;} .DayNow {font-family: verdana;font-size: 7pt;font-weight: bold;color: #000000;background-color: #FFFFFF;height: 20px;text-align: center;} .DayTitle {font-family: verdana;font-size: 9pt;color: #000000;background-color: #C0D0E8;height: 20px;width:11%;text-align: center;} .DaySatTitle {font-family: verdana;font-size: 9pt;color:#FF0000;text-decoration: none;background-color:#C0D0E8;text-align: center;height: 20px;width: 12%;} .DaySunTitle {font-family: verdana;font-size: 9pt;color: #FF0000;text-decoration: none;background-color: #C0D0E8;text-align: center;height: 20px;width: 12%;} .DayButton {font-family: Webdings;font-size: 9pt;font-weight: bold;color: #243F65;cursor:hand;text-decoration: none;} </Style> <table border="0" cellpadding="0" cellspacing="1" class="Calendar" id="caltable"> <thead> <tr align="center" valign="middle"> <td colspan="7" class="Title"> <a href="javaScript:subMonth();" title="上一月" Class="DayButton">3</a> <input name="year" type="text" size="4" maxlength="4" onkeydown="if (event.keyCode==13){setDate()}" onkeyup="this.value=this.value.replace(/[^0-9]/g,'')" onpaste="this.value=this.value.replace(/[^0-9]/g,'')"> 年 <input name="month" type="text" size="1" maxlength="2" onkeydown="if (event.keyCode==13){setDate()}" onkeyup="this.value=this.value.replace(/[^0-9]/g,'')" onpaste="this.value=this.value.replace(/[^0-9]/g,'')"> 月 <a href="JavaScript:addMonth();" title="下一月" Class="DayButton">4</a> </td> </tr> <tr align="center" valign="middle"> <Script LANGUAGE="JavaScript"> document.write("<TD class=DaySunTitle id=diary >" + days[0] + "</TD>"); for (var intLoop = 1; intLoop < days.length-1;intLoop++) document.write("<TD class=DayTitle id=diary>" + days[intLoop] + "</TD>"); document.write("<TD class=DaySatTitle id=diary>" + days[intLoop] + "</TD>"); </Script> </TR> </thead> <TBODY border=1 cellspacing="0" cellpadding="0" ID="calendar" ALIGN=CENTER ONCLICK="getDiary()"> <Script LANGUAGE="JavaScript"> for (var intWeeks = 0; intWeeks < 6; intWeeks++) { document.write("<TR style='cursor:hand'>"); for (var intDays = 0; intDays < days.length;intDays++) document.write("<TD class=CalendarTD onMouseover='buttonOver();' onMouseOut='buttonOut();'></TD>"); document.write("</TR>"); } </Script> </TBODY> </TABLE> <Script LANGUAGE="JavaScript"> Calendar(); </Script> </script> <SCRIPT language?javascript?> var currentpos,timer; function initialize() { timer=setInterval("scrollwindow()",10); } function sc(){ clearInterval(timer); } function scrollwindow() { currentpos=document.body.scrollTop; window.scroll(0,++currentpos); if (currentpos != document.body.scrollTop) sc(); } document.onmousedown=sc document.ondblclick=initialize </SCRIPT> <script language="JavaScript">  </script> <OBJECT class=OBJECT id=MediaPlayer height=50 width=170 align=middle classid=CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95><PARAM NAME="AudioStream" VALUE="-1"><PARAM NAME="AutoSize" VALUE="0"><PARAM NAME="AutoStart" VALUE="-1"><PARAM NAME="AnimationAtStart" VALUE="-1"><PARAM NAME="AllowScan" VALUE="-1"><PARAM NAME="AllowChangeDisplaySize" VALUE="-1"><PARAM NAME="AutoRewind" VALUE="-1"><PARAM NAME="Balance" VALUE="0"><PARAM NAME="BaseURL" VALUE=""><PARAM NAME="BufferingTime" VALUE="5"><PARAM NAME="CaptioningID" VALUE=""><PARAM NAME="ClickToPlay" VALUE="-1"><PARAM NAME="CursorType" VALUE="0"><PARAM NAME="CurrentPosition" VALUE="-1"><PARAM NAME="CurrentMarker" VALUE="0"><PARAM NAME="DefaultFrame" VALUE=""><PARAM NAME="DisplayBackColor" VALUE="0"><PARAM NAME="DisplayForeColor" VALUE="16777215"><PARAM NAME="DisplayMode" VALUE="0"><PARAM NAME="DisplaySize" VALUE="4"><PARAM NAME="Enabled" VALUE="-1"><PARAM NAME="EnableContextMenu" VALUE="-1"><PARAM NAME="EnablePositionControls" VALUE="-1"><PARAM NAME="EnableFullScreenControls" VALUE="0"><PARAM NAME="EnableTracker" VALUE="-1"><PARAM NAME="Filename" VALUE="http://www.zw88.com/music/download/dl1/wxl07.mp3"><PARAM NAME="InvokeURLs" VALUE="-1"><PARAM NAME="Language" VALUE="-1"><PARAM NAME="Mute" VALUE="0"><PARAM NAME="PlayCount" VALUE="999"><PARAM NAME="PreviewMode" VALUE="0"><PARAM NAME="Rate" VALUE="1"><PARAM NAME="SAMILang" VALUE=""><PARAM NAME="SAMIStyle" VALUE=""><PARAM NAME="SAMIFileName" VALUE=""><PARAM NAME="SelectionStart" VALUE="-1"><PARAM NAME="SelectionEnd" VALUE="-1"><PARAM NAME="SendOpenStateChangeEvents" VALUE="-1"><PARAM NAME="SendWarningEvents" VALUE="-1"><PARAM NAME="SendErrorEvents" VALUE="-1"><PARAM NAME="SendKeyboardEvents" VALUE="0"><PARAM NAME="SendMouseClickEvents" VALUE="0"><PARAM NAME="SendMouseMoveEvents" VALUE="0"><PARAM NAME="SendPlayStateChangeEvents" VALUE="-1"><PARAM NAME="ShowCaptioning" VALUE="0"><PARAM NAME="ShowControls" VALUE="-1"><PARAM NAME="ShowAudioControls" VALUE="-1"><PARAM NAME="ShowDisplay" VALUE="0"><PARAM NAME="ShowGotoBar" VALUE="0"><PARAM NAME="ShowPositionControls" VALUE="-1"><PARAM NAME="ShowStatusBar" VALUE="-1"><PARAM NAME="ShowTracker" VALUE="-1"><PARAM NAME="TransparentAtStart" VALUE="0"><PARAM NAME="VideoBorderWidth" VALUE="0"><PARAM NAME="VideoBorderColor" VALUE="0"><PARAM NAME="VideoBorder3D" VALUE="0"><PARAM NAME="Volume" VALUE="-600"><PARAM NAME="WindowlessVideo" VALUE="0"> <embed type=application/x-oleobject codebase=http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701 flename=mp src='http://www.zw88.com/music/download/dl1/wxl07.mp3' width=150 height=50></embed></OBJECT> <center><EMBED style="LEFT: 10px; POSITION: absolute; TOP: -70px" align=right src=http://blowsuai.home.sunbo.net/xfile.php?xname=4IHM901&fname=9.swf width=800 height=500 type=application/x-shockwave-flash wmode="transparent" quality="high" ;></center>

[编辑]文章分类

[编辑]blogs

存档

Access的跨库查询收藏

大家还记得mssql的跨库查询吧，其实在access中也可以实现2个数据之间的交叉查询。下面我就给大家介绍下access的跨库查询。

　　首先让我们看看在access里是怎样实现对mdb文件进行查询的，我们随便创建个空数据库，对数据库D:\daos\db\daidalos.mdb里的admin表的内容进行查询，SQL语句为：

SELECT * from admin in "D:\daos\db\daidalos.mdb"

点击查看原尺寸图片

　　查询后，成功返回目标数据库里表admin表里的内容：

点击查看原尺寸图片

　　在实际的asp注射中，要同时进行2个select，如果大家熟悉php+mysql注射的话，应该很容易想到使用union进行联合查询，在access里我们照样可以使用，使用union查询还有一个好处就是不要去对数据进行一个一个字符的去猜，而可以象mysql+php注射一样直接暴出字段里的数据（具体的mix已经写了一篇详细的文章）。从上面可以看出来要实现跨库查询必修要下面2个条件：

使用union查询必须知道前一个select里表的字段数
必须知道目标数据库的所在位置，绝对路径。

　　条件1我们可以根据提示错误信息来手工猜解，也可以通过程序自动实现。

　　条件2 这个是个难点，不过我们可以通过利用“access暴库”来实现，有人会说既然可以知道数据位置，那不直接下载得拉，其实不然，现在的数据库一般防止下载，有的根本不web目录下。

　　在黑防第四轮实验室的第一关，就是设置的2个asp+access的下载系统，一个是雨点下载系统，一个是盗帅下载系统。经过测试盗帅下载系统可以暴出数据库但是不让下载，似乎也没什么地方可以注射，而雨点下载系统就是漏洞百出了，数据库可以暴且可以直接下载，还可以注射。不过雨点的后台很简单，没什么可以利用的地方，我们的目标就放在得到盗帅后台密码上了，下面我就给大家演示下，通过雨点系统的注射点对盗帅系统的跨库查询而得到盗帅的后台密码：

　　我们得知雨点系统的list.asp可以注射，我们先去要得到union里的数据表字段数，提交：

http://219.237.81.46/yddown/list.asp?id=75%20union%20select%201%20from%20userinfo

Microsoft JET Database Engine 错误 '80040e14'

在联合查询中所选定的两个数据表或查询中的列数不匹配。

/yddown/list.asp，行51

　　字段不对，我写了个perl脚本自动猜，（代码见后）

　　当我们提交：

http://219.237.81.46/yddown/list.asp?id=75%20union%20select%201,2,3%20from%20userinfo

　　无错误返回：

点击查看原尺寸图片