Shulou(Shulou.com)05/31 Report--

This article will explain in detail the example analysis of outfile, dumpfile and load_file functions in Mysql injection. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

In the later stage of exploiting the sql injection vulnerability, the most commonly used is to read sensitive files or write to webshell through mysql's file series functions, of which the following three functions are commonly used

Into dumpfile ()

Into outfile ()

Load_file ()

Our test data are as follows

Restrictions on function calls for reading and writing files

Because it involves writing files on the server, the successful execution of the above function is affected by the parameter secure_file_priv. The description in the official document is as follows

Just translate it.

When the parameter secure_file_priv is empty, there is no restriction on import and export

When the value is a specified directory, you can only import and export to the specified directory

Disable the import and export function when the value is set to NULL

This value can be queried with the command select @ @ secure_file_priv. Since this parameter cannot be changed dynamically, it can only be modified in the configuration file of mysql, and then the restart takes effect.

The difference between dumpfile and outfile

Export differences in database scenarios

Select... Into outfile

Let's first take a look at the explanation of these two functions in the official mysql documentation.

There are two noteworthy potholes.

The outfile function can export multiple rows, while dumpfile can export only one row of data

The outfile function has a special format conversion when writing data to a file, while dumpfile maintains the original data format

Next, let's take a look at the details through the export test.

First use outfile export with the command select * from test into outfile'/ tmp/test.txt'

You can see that all the data is saved in the file / tmp/test.txt file and wraps automatically at the end of a line of data

By looking at the official documentation, you can see that the format can be adjusted using the following parameters

FIELDS ESCAPED BY can be used to escape specified characters, FIELDS [OPTIONALLY] ENCLOSED BY is used to wrap field values, and FIELDS TERMINATED BY is used to split field values.

For example, use the following commands select * from test into outfile'/ tmp/test.txt FIELDS TERMINATED BY', 'OPTIONALLY ENCLOSED BY' "'LINES TERMINATED BY'\ n'

The resulting export file is as follows

Select... Into dumpfile

Then use the command select * from test into dumpfile'/ tmp/test.txt' to export using dumpfile

You can see that this command prompts you to output more than one line when it is executed

View the contents of the file

You can see that there is no wrapping between rows of data exported through dumpfile and only part of the data is exported

Write differences under webshell or udf

Select... Into outfile

Let's use the command select'a\ naa\ raaaa' into outfile'/ tmp/test.txt' to take a look at the results in the common write file scenarios

You can see that outfile escaped special characters such as\ nin the export content, and added a new line at the end of the file content.

Let's then use the command select'a\ naa\ raaaa' into dumpfile'/ tmp/test.txt' to take a look.

You can see that dumpfile intended to write the contents of the file without any transfer or addition. That's why we use dumpfile to write dll files in the usual UDF rights.

There is another point to pay attention to: the path after outfile cannot be followed by 0x or char conversion, it can only be a single quotation mark path. This problem is even more troublesome in php injection, because it automatically escapes single quotes to\', so it's basically GG, but load_file, the subsequent path can be single quotation marks, 0x, char converted characters, but the slash in the path is / instead of\.

This is the end of this article on "sample analysis of outfile, dumpfile, load_file functions in Mysql injection". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, please share it out for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.