SQL injection file read / write

Today, let's continue to introduce the relevant knowledge of penetration testing , The main content of this paper is SQL Injected file read / write .

disclaimer ：
The content introduced in this article is only for learning and communication , It is strictly prohibited to use the technology in the text for illegal acts , Otherwise, you will bear all serious consequences ！
Again ： It is forbidden to perform penetration tests on unauthorized equipment ！

One 、SQL Inject file read / write functions

The reason why we can make use of SQL Inject vulnerabilities to read and write files , Because MySQL There are functions related to file reading and writing in the database .
load_file() Function can read files ,into outfile and into dumpfile You can write files , for example ：
perform SQL command ：

select load_file("D:\\123.txt")

Can read D:\123.txt Contents of the file .
And execute orders ：

select "test" into outfile "D:\\234.txt"

You can create D:\234.txt file （ The command requires that the file does not exist ）, And write test.
The execution results of relevant commands are as follows ：

Two 、SQL Injection file read / write secure_file_priv Parameters

Above SQL Execution of statements , Must depend on the database secure_file_priv Parameters , This parameter specifies the safe path for database import and export .
This parameter can have three types , If this parameter is a directory , The prerequisite for us to execute the above command is that the file is in the directory specified by this parameter ; If the parameter is NULL, Then none of the above commands can be executed ; If the parameter is empty , Then the above commands can be executed without restriction .
Be careful , The parameter is NULL And empty are two completely different concepts , When this parameter is empty, it is as follows ：

The parameter is NULL when , As shown below ：

About null and NULL The difference between , If there is any doubt , You can refer to ：MySQL Precautions for use （ One ）

3、 ... and 、SQL Injection file path acquisition

When we take advantage of SQL Injection to read the contents of the file , You need to know the path and file name of the target file , So how do we get the file path and file name , There are the following ways ：
1、 Display according to the web page error .
Sometimes , Website construction is not rigorous , We can make mistakes on purpose , Guide the website to display the relevant path .
2、 Site legacy files .
Inject pipinfo Such web site legacy files will expose the path information of the web site .
3、 Loopholes report errors .
There are some CMS Or other middleware , Because of its own loopholes , There is a vulnerability in this burst path .
4、 Platform profile .
When we run the website service , There will be a configuration file , If we can get the information of the configuration file , We can get the directory of the website .
5、 Blast .
In case of failure of the above methods , Only by brute force , To guess the website path .

Four 、SQL Magic boot switch for injecting file reading and writing

When we use SQL Injection for file reading and writing , Attention is also needed , At the PHP Whether... Is used in the setting magic_quotes_gpc Magic boot switch , This parameter is set to single quotation marks 、 Double quotes 、 Backslashes and empty characters are filtered .
such , When we use MySQL Read and write files , When you want to enter the destination site path , It will be limited . For that , We can use 16 Binary encoding to bypass .
Originality is not easy. , Reprint please explain the source ：https://blog.csdn.net/weixin_40228200