Mysql vulnerability exploitation (excessive permissions, how to obtain the root password from low permissions) is well known, mysql users cannot read files through Load_file or write files through into dumpfile or into outfile without the File permission, but occasionally find a trick on a website, that is, you can use load data infile to read local files to the database. in this way, you can use this bug to read files on the server with low permissions. The code is as follows:
Load data local infile 'C:/boot. ini 'into table test fields terminated by ''; later I kept thinking about how to use this problem. A feasible approach is as follows:
We read the mysql database file. the user table of the mysql database stores the hash of all users. as long as we read the file, we almost read the root password.
Therefore, the local test is performed. Note that the currently connected user test has no File permission:
Run the following statement:
Load data local infile 'C:/wamp/bin/mysql/mysql5.6.12/data/mysql/user. myd' into table test2 fields terminated '';
Then select * from test2;
We can find that everything has only one bad character. We use winhex to open the user. myd file.
OK. The problem is found. it is truncated by the 00 character. as a result, all the other things are not in the database. Next we will try to bypass this restriction.
After several attempts, you can add lines terminated by '/0' to the end, so that the truncation symbol is processed as a separator. the complete statement:
Load data local infile 'C:/wamp/bin/mysql/mysql5.6.12/data/mysql/user2.MYD 'into TABLE test2 fields terminated by ''lines TERMINATED by'/0 ';
Effect:
OK, complete!