Inject from MySQL to Getshell

SQL injection is a technique for attacking by manipulating input (which can be a form, a GET request, a POST request, and so on) and allowing the statement to execute in the database. The main reason is that there is no strict checking and filtering of the legality of user input data or the mutable parameters that are submitted by the client, resulting in the vulnerability of the application. This article is mainly about through a MySQL injection vulnerability, through the Os-shell to execute the echo command to get Webshell attack process, Daniel Bypass, write this article mainly praised himself began to have their own ideas, perhaps the idea is someone else already know!

Originally through the management of the weak password into the system, found the upload point, but all kinds of bypass can not be successfully uploaded Trojan, had to think of SQL injection to write a word to the file, it seems to be worthy of a rookie, but also need you pass the great god many advice!

0 x00 System basic Information Acquisition

When I opened the site of this test, I used Firefox's server-spy to get the basic information, the site used the environment is Nginx 1.4.4, script type is shown in PHP 5.3.29,1. Server-spy For more information, please follow the official website: https://github.com/100apps/ServerSpy.

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M01/A2/83/wKioL1mhJwmBlOnTAAAoEAbq0b8072.png-wh_500x0-wm_ 3-wmp_4-s_511429199.png "title=" Image001.png "width=" "height=" 231 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width : 300px;height:231px; "alt=" Wkiol1mhjwmblontaaaoeabq0b8072.png-wh_50 "/>

Figure 1 Getting basic information about the site using Server-spy

0 x01 getting the operating system type

By changing the case in the directory and the name of the website program, as well as pinging the website domain name to get the TTL value, the system is initially judged to be UNIX (Linux), as shown in 2.

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M00/A2/83/wKioL1mhJ0HwyjLJAAA1xe96wXw598.jpg-wh_500x0-wm_ 3-wmp_4-s_2821449154.jpg "title=" image002.jpg "alt=" Wkiol1mhj0hwyjljaaa1xe96wxw598.jpg-wh_50 "/>

Figure 2 Getting the operating system type

Knowledge Points:

(1) The TTL is the abbreviation for time to live, which specifies the maximum number of network segments that an IP packet is allowed to pass before it is discarded by the router.

(2) TTL is a 8 bit field in the IPV4 header. Registry location for TTL value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters There is a DWORD value of DefaultTTL, Its data is the default TTL value, we can modify, but not greater than the decimal 255,windows system settings after the restart to take effect.

(3) The TTL is set by the sending host to prevent the packet from continually looping on the IP internetwork forever. When forwarding IP packets, the router is required to reduce the TTL by at least 1, the ICMP message type involved in using Ping, one for the ICMP echo request, and one for the ICMP echo response (ICMP echoes Reply), and the TTL field value can help We identify the operating system type.

(4) Unix and Unix-like operating systems the TTL field value for ICMP echo response is 255,windows2003server, and the default value for Windows 2008Server is 64.

The TTL field value of the Compaq Tru64 5.0ICMP echo Response is 64

The TTL field value of the Microsoft Windows nt/2k operating system ICMP echo answer is 128

The TTL field value for the Microsoft Windows 95 operating system ICMP echo answer is 32

But in some cases it is special:

The TTL field value of the LINUX Kernel 2.2.x& 2.4.x ICMP echo Answer is 64

FreeBSD 4.1, 4.0, 3.4; Sun Solaris 2.5.1, 2.6, 2.7, 2.8;openbsd 2.6, 2.7,NETBSD,

HP UX 10.20,icmp echo response with a TTL field value of 255

The TTL field value for Windows 95/98/98se/windowsme,icmp Echo reply is 32

The TTL field value for the Windows NT4 wrks,windowsnt4 server,windows 2000,icmp Echo reply is 128.

0 x02 getting injection points

Because the site is a company's official website, so the use of simple scanning tools under the situation, the use of the scanning tool is Safe3wvs, the scan found that there is SQL injection, there is XSS, there is background management, 3, as this is mainly to tell the MySQL injection, so the other skipped!

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M00/A2/83/wKioL1mhJ1Oxl0x5AABrk20ZXyg054.jpg-wh_500x0-wm_ 3-wmp_4-s_1971669282.jpg "title=" image003.jpg "alt=" Wkiol1mhj1oxl0x5aabrk20zxyg054.jpg-wh_50 "/>

Figure 3 Discovering the SQL injection point

0x03 Sqlmap to verify

By scanning with the Sqlmap injection tool, you know that the SQL injection vulnerability is present, 4, and that the database is MySQL > 5.0.11.

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M01/03/D3/wKiom1mhJ2zwvoNCAAAMyKwRcdk562.png-wh_500x0-wm_ 3-wmp_4-s_104401348.png "title=" Image004.png "alt=" Wkiom1mhj2zwvoncaaamykwrcdk562.png-wh_50 "/>

Figure 4sqlmap Getting database information

0 X04–os-shell system command Execution

Originally just try, did not think really can execute-os-shell,5, personality outbreak, operating system is 64 bit, because 32 bit can not execute command!

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M01/A2/83/wKioL1mhJ2jyrPomAABG6EJ8Suw277.jpg-wh_500x0-wm_ 3-wmp_4-s_4041745698.jpg "title=" image005.jpg "alt=" Wkiol1mhj2jyrpomaabg6ej8suw277.jpg-wh_50 "/>

Figure 5 Getting the operating system architecture

0 x05 Get related information

By executing the Whomai command, it is known that the current user is mysql,6, as shown by Ifconfig, the address is the intranet address, 7.

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M02/03/D3/wKiom1mhJ3-gmPd6AAAWC-VrzC4402.png-wh_500x0-wm_ 3-wmp_4-s_607095791.png "title=" Image006.png "alt=" Wkiom1mhj3-gmpd6aaawc-vrzc4402.png-wh_50 "/>

Figure 6 Getting relevant information

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M02/03/D3/wKiom1mhJ4nzqFDQAABk8hGW5DM147.jpg-wh_500x0-wm_ 3-wmp_4-s_1090538371.jpg "title=" image007.jpg "alt=" Wkiom1mhj4nzqfdqaabk8hgw5dm147.jpg-wh_50 "/>

Figure 7 Getting the native IP address

Knowledge Points:

Private address is a non-registered address, specifically for the internal use of the Organization, commonly known as the intranet address.

The following lists the retained internal private addresses

Class A 10.0.0.0--10.255.255.255

Class B 172.16.0.0--172.31.255.255

Class C 192.168.0.0--192.168.255.255

0 x06 Find a writable directory

First, through the page to see some of the directory, a casual look for a picture associated with the official website, see the properties of the site is found in the directory uploads,7 shown.

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M02/A2/83/wKioL1mhJ4aSebcnAAA3TecMiCg226.png-wh_500x0-wm_ 3-wmp_4-s_3348279418.png "title=" Image008.png "width=" "height=" 248 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width : 300px;height:248px; "alt=" Wkiol1mhj4asebcnaaa3tecmicg226.png-wh_50 "/>

Figure 8 Getting directory information

In addition, through Os-shell, we use PWD to see the current directory, and then through LS from the first level of the directory to view, when viewing to uploads, 8, there is a way to upload a Trojan horse, because the directory can be known.

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M00/03/D3/wKiom1mhJ8-wCbdjAABzkurgIOc258.png-wh_500x0-wm_ 3-wmp_4-s_2034006979.png "title=" Image009.png "alt=" Wkiom1mhj8-wcbdjaabzkurgioc258.png-wh_50 "/>

Figure 9 Viewing directory information

0 x07 Write a word trojan

Since the previous Linux reinforcement, using echo to enter the data into the file to implement the ping, so that it is possible to write a sentence to the file in this way? Through the uploads directory several times, may be their own technology is too vegetable, spent a lot of time, almost one echo output to see the success of the content is written to the file, in a single quotation mark where the toss for a long time, with the ' No use, has failed, did not think directly not single quotation marks on success, Finally the write succeeded! So excited, hey!

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M01/03/D3/wKiom1mhJ-WAknbwAAARJQrDxCo441.jpg-wh_500x0-wm_ 3-wmp_4-s_2819803385.jpg "title=" image010.jpg "alt=" Wkiom1mhj-waknbwaaarjqrdxco441.jpg-wh_50 "/>

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M00/A2/83/wKioL1mhJ-LCDh8-AAAZlNRK2V0855.png-wh_500x0-wm_ 3-wmp_4-s_2231605496.png "title=" Image011.png "alt=" Wkiol1mhj-lcdh8-aaazlnrk2v0855.png-wh_50 "/>

Figure 10 Writing Webshell

0 x07 Chopper Connection

By using a chopper, the connection is successful, but the user is WWW, the permissions are not yet MySQL permissions are large, 9, as shown in Figure 10.

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M01/03/D3/wKiom1mhKCDiCHFEAABKxyx82yA143.png-wh_500x0-wm_ 3-wmp_4-s_2751176027.png "title=" Image012.png "width=" "height=" 219 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width : 300px;height:219px; "alt=" Wkiom1mhkcdichfeaabkxyx82ya143.png-wh_50 "/>

Figure 11 Getting Webshell

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M01/A2/83/wKioL1mhKDPxdp9AAAAEtwYmS2s455.png-wh_500x0-wm_ 3-wmp_4-s_367789037.png "title=" Image013.png "alt=" Wkiol1mhkdpxdp9aaaaetwyms2s455.png-wh_50 "/>

Figure 12 Viewing the current user

0 x07 Related commands cannot be used to resolve

Under WWW user, 11, cannot use Ifconfig, at this time we can go to sbin directory, directly execute the command file, 12, you can successfully use these commands (you can also directly execute command/sbin/ifconfig)!

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M02/A2/83/wKioL1mhKFai90jZAAAFKhI3QeI356.png-wh_500x0-wm_ 3-wmp_4-s_3818484632.png "title=" Image014.png "alt=" Wkiol1mhkfai90jzaaafkhi3qei356.png-wh_50 "/>

Figure 13 Command execution failed

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M00/03/D3/wKiom1mhKHHSFC-bAABCM-ze3Jk869.jpg-wh_500x0-wm_ 3-wmp_4-s_1907348414.jpg "title=" image015.jpg "alt=" Wkiom1mhkhhsfc-baabcm-ze3jk869.jpg-wh_50 "/>

Figure 14 Viewing the IP address

0 x07 digression

After the success of the connection through the kitchen knife, we can upload the big horse, so as to further the right, about how to raise the right, omitted here 1000 words ...

0 x07 Reference

Get information about the server, you can use Firefox's Server-spy plugin, you can get the site's deployment environment, IP address, script type and other related information!

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M00/A2/83/wKioL1mhKKGSuK1mAAAoEAbq0b8962.png-wh_500x0-wm_ 3-wmp_4-s_3010396042.png "title=" Image001.png "width=" "height=" 231 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width : 300px;height:231px; "alt=" Wkiol1mhkkgsuk1maaaoeabq0b8962.png-wh_50 "/>

To get the operating system type, we can change the case of the relevant letters in the directory because Linux is case sensitive, Windows is not case sensitive, followed by the ping command to get the operating system type, and in general, Windows xp/2003 The corresponding TTL value for 128;linux corresponds to the TTL value of 64,unix corresponding to the TTL value of 255,windows 7/10 corresponds to the TTL value of 64,windows 95/98 corresponding to the TTL value of 32.

In addition, to obtain the absolute path of the site, if the error can not be used, and we are able to use the PWD, ls Two command, then we can basically find the absolute path, when we execute some command found the prompt cannot find the command, we can in our own virtual machine Locate the path of the command, Then go to the path through./To execute the relevant command.

This article is from the "eth10" blog, make sure to keep this source http://eth10.blog.51cto.com/13143704/1959546

Inject from MySQL to Getshell