Full Process of injection from Jsp + Mysql to root permissions

Author: pingping
Information Source: evil

I am a little idle recently, so I am writing spam to spend some time. there is no technical content in this article. If you want to repost it, please indicate the author and keep the article complete. many people may know that asp and php programming should prevent SQL injection vulnerabilities, but jsp programming should also guard against SQL injection vulnerabilities. in fact, jsp code injection directly affects the security of the entire system. This document describes how to inject and export a webshell Using JSP + MYSQL.
Www. *****. cn is a website of a famous Chinese Institute. We will test it in good faith here. Of course, before writing this article, I have notified the website administrator of the vulnerability. I have processed all the pictures in the text and pasted a mathematical formula diagram I invented when I was a junior. I hope that you can understand that mathematics is even more profound and profound, of course, it is even more common to study mathematics ).
1. Search for injection points
Go to the homepage, click a news view in the news, and add a single quotation mark (') after the address. 1 is displayed after the link is connected.
Screen. width-461) window. open (http://www.bkjia.com/uploads/allimg/131128/145F5LF-0.jpg); "src =" http://www.bkjia.com/uploads/allimg/131128/145F5LF-0.jpg "onload =" if (this. width> screen. width-460) this. width = screen. width-460; "border = 0>
(Figure 1)
It is easy to see that there is a table name (tablename) in the database of this website is zhxw. Unfortunately, you cannot see the web path. If you change the quote 'to and 1 = 1, the normal page is returned. If you change the quote' to and 1 = 2, the error page is displayed. the injection vulnerability can be determined. telnet is used to detect port 3306 of the host, and the result shown in 2 is returned.
Screen. width-461) window. open (http://www.bkjia.com/uploads/allimg/131128/145F56401-1.jpg); "src =" http://www.bkjia.com/uploads/allimg/131128/145F56401-1.jpg "onload =" if (this. width> screen. width-460) this. width = screen. width-460; "border = 0>
(Figure 2)
We can conclude that the database program of this website is mysql ..

2. Name of the table to be guessed
With the injection point, we will think of using union to construct SQL statements. We start to guess the number of fields in the table zhxw, and add union select 1 to the address of the injection point to get error page 3.
Screen. width-461) window. open (http://www.bkjia.com/uploads/allimg/131128/145F5M95-2.jpg); "src =" http://www.bkjia.com/uploads/allimg/131128/145F5M95-2.jpg "onload =" if (this. width> screen. width-460) this. width = screen. width-460; "border = 0>
(Figure 3)
The following figure is displayed when four numbers (2, 3, 4, and 5) are appended to union select 1 (note that each number is separated by a comma ). it seems that the number of fields is incorrect. When union select 1, 2, 3, 4, 5, 6 is added after the injection point address, a normal page is returned. Note that the number of fields in the table zhxw is 6. Now you can manually guess some common table names. Soon I thought of the admin table. Add uinon select 1, 2, 3, 4, 5, 6 from admin after the injection point address, and change 1530 after id = to a non-existent id such as-1, result 4 is displayed.
Screen. width-461) window. open (http://www.bkjia.com/uploads/allimg/131128/145F5F56-3.jpg); "src =" http://www.bkjia.com/uploads/allimg/131128/145F5F56-3.jpg "onload =" if (this. width> screen. width-460) this. width = screen. width-460; "border = 0>
(Figure 4)
This indicates that the table admin exists. you can insert the field name of the table in numbers 2 and 3 or use the built-in functions of mysql to obtain the database information. now let's guess the field name and Its Value of the admin table. you can obtain the field name adminname and adminpwd value 5 of the admin table.
Screen. width-461) window. open (http://www.bkjia.com/uploads/allimg/131128/145F51O4-4.jpg); "src =" http://www.bkjia.com/uploads/allimg/131128/145F51O4-4.jpg "onload =" if (this. width> screen. width-460) this. width = screen. width-460; "border = 0>
(Figure 5)

3. Find the web path and web Management Portal
Remember that angel's article <Advanced SQL Injection with MySQL> contains a very important function load_file (). now we can use this function to find the web path. the test shows that the result displayed after the load_file () function is replaced in number 2 is incomplete, but the result displayed after the load_file () function is replaced in number 3 is complete. I guess it is related to the Field Length of the table zhxw. and I guess this system is a unix system. so I first look for the web path from the root directory! 6.
Screen. width-461) window. open (http://www.bkjia.com/uploads/allimg/131128/145F541O-5.jpg); "src =" http://www.bkjia.com/uploads/allimg/131128/145F541O-5.jpg "onload =" if (this. width> screen. width-460) this. width = screen. width-460; "border = 0>
(Figure 6)
The www at the draw line in Figure 6 should store the web directory, and then use load_file ('/www '), the exact web path is/www/ping (I used ping to replace the real directory name after www ). and found a bbs directory under the/www/ping directory and adminlog on the background management page. jsp.

4. shell for obtaining general server Permissions
With the management page, we naturally want to log in through the account shown in Figure 5 and upload a JSP token to learn that this bbs only allows its website Intranet ip address to be managed, so this cannot be achieved. secondly, we will naturally think of finding the mysql root password to get the shell. so I want to see index. whether the source code of jsp calls a public database connection file, and then we can view the database connection information in the source code of this public database connection file. here we use the 'Load _ file ()... Into outfile 'to view jsp Source Code; so we submit http://www.xxx.xxx.cn/content.jsp in ie? Tablename = kydt & id = 390003% 20 union % 20 select % ,,2, load_file (/www/pingping/index. jsp), 6%, 20 from % 20 admin into outfile '/www/ping/ping.txt. In this case, we have the mysql root Password and want to remotely connect to the mysql server. But we remember the information in Figure 2, "Host xxx. xxx. xxx.170 is not allowed to connect to this MySQL server ", you will know that the mysql database connected to this website from the local device cannot be connected! It seems that this cannot be done. At this moment, we will use social engineering. First, check whether the server has opened port and port 23. Then, use the load_file () function to obtain the file/etc/passwd information. I manually tested the weak password of the telnet service based on the file/etc/passwd. Fortunately, I found five accounts with weak passwords, use one of the accounts to log on to shell7.
Screen. width-461) window. open (http://www.bkjia.com/uploads/allimg/131128/145F53491-6.jpg); "src =" http://www.bkjia.com/uploads/allimg/131128/145F53491-6.jpg "onload =" if (this. width> screen. width-460) this. width = screen. width-460; "border = 0>
(Figure 7)
It is easy to see whether the operating system is sunos5.8.

5. Permission escalation
Shell with low permissions naturally wants to download exploit related to sunos5.8 to improve permissions. I haven't found a valid exploit for a long time. now that we have a shell, We can log on to its mysql server in the shell. if mysql runs as a root user, you can use the methods in <How apache.org was defaced> and <MySQL UDF Dynamic Library Exploit> to improve the permissions. the result failed, as shown in Figure 8 and Figure 9.
Screen. width-461) window. open (http://www.bkjia.com/uploads/allimg/131128/145F54591-7.jpg); "src =" http://www.bkjia.com/uploads/allimg/131128/145F54591-7.jpg "width = 564 onload =" if (this. width> screen. width-460) this. width = screen. width-460; "border = 0>
(Figure 8)
Screen. width-461) window. open (http://www.bkjia.com/uploads/allimg/131128/145F56249-8.jpg); "src =" http://www.bkjia.com/uploads/allimg/131128/145F56249-8.jpg "width = 564 onload =" if (this. width> screen. width-460) this. width = screen. width-460; "border = 0>
& Nb