Shulou(Shulou.com)06/01 Report--

SQL injection is a technology that operates relevant SQL statements through input (either a form, a get request, a POST request, etc.) and allows the statement to be executed in the database. The main reason is that there is no strict check and filter on the validity of the user input data or the variable parameters submitted by the client, which leads to this vulnerability in the application. This article is mainly about the process of getting webshell by executing echo commands through os-shell through a mysql injection vulnerability. Daniel bypassed it. Writing this article mainly praises yourself for starting to have your own idea, which may have been known to others for a long time!

Originally through the management background weak password into the system, found the upload point, but all kinds of bypass can not be successfully uploaded * *, had no choice but to think of through SQL injection to write a sentence into the file, it seems to be a rookie, but also need a lot of advice from passing gods!

Acquisition of basic information of 0 × 00 system

When I opened the site for this test, I used Firefox's server-spy to get the basic information. The site uses Nginx 1.4.4 and the script type is PHP 5.3.29, as shown in figure 1. For more information on server-spy, please visit its official website: https://github.com/100apps/ServerSpy.

Figure 1 use server-spy to get the basic information of the website

0 × 01 get operating system type

By changing the case in the directory and the website program name, as well as the ping website domain name to obtain the TTL value and so on, it is preliminarily judged that the system is Unix (linux), as shown in figure 2.

Figure 2 getting the operating system type

Knowledge points:

(1) TTL is an abbreviation for Time To Live, and this field specifies the maximum number of network segments that IP packets are allowed to pass through before they are discarded by the router.

(2) TTL is an 8 bit field of the IPv4 header. The registry location of the TTL value: HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ Tcpip\ Parameters in which there is a DWORD value of DefaultTTL, and its data is the default TTL value. We can modify it, but the restart will not take effect until it is set up in decimal system.

(3) the TTL is set by the sending host to prevent packets from looping endlessly over the IP Internet. When forwarding IP packets, the router is required to reduce the TTL by at least 1, and the types of ICMP packets involved when using PING are ICMP request echo (ICMP Echo Request) and ICMP echo reply (ICMP Echo Reply). The value of the TTL field can help us to identify the operating system type.

(4) the TTL field value of echo response of UNIX and UNIX-like operating system ICMP is 255, and the default value of Windows 2008Server is 64.

The TTL field value of Compaq Tru64 5.0ICMP echo reply is 64

The TTL field value of Microsoft Windows NT/2K operating system ICMP echo reply is 128,

The TTL field value of Microsoft Windows 95 operating system ICMP echo reply is 32.

But there are some special cases:

LINUX Kernel 2.2.x & 2.4.x ICMP echo reply with a TTL field value of 64

Sun Solaris 2.5.1,2.6,2.7,2.8 FreeBSD BSD 2.6,2.7, 2.7

The TTL field value of the echo reply of HP UX 10.20 ICMP is 255.

The value of the TTL field for the echo reply of Windows 95Accord 98SERMAX 98SEMAX WinMe ICMP is 32.

The value of the TTL field for the echo reply of WindowsNT4 WRKS,WindowsNT4 Server,Windows 2000 century ICMP is 128.

0x02 get the injection point

Because the site is a company's official website, so use the tool to simply scan the situation, this time the scanning tool is safe3wvs, the scan found that there is SQL injection, xss, background management, as shown in figure 3, because this is mainly about mysql injection, so other omitted!

Figure 3 found the SQL injection point

0x03 sqlmap for verification

By scanning using the sqlmap injection tool, we know that the SQL injection vulnerability exists, as shown in figure 4, and the database is mysql > 5.0.11.

Figure 4sqlmap gets database information

0 × 04-os-shell system command execution

Originally just try, did not expect to be able to execute-os-shell, as shown in figure 5, personality burst, the operating system is 64-bit, because 32-bit can not execute commands!

Figure 5 get the operating system architecture

0 × 05 to obtain relevant information

By executing the whomai command, you can know that the current user is mysql, as shown in figure 6, and through ifconfig, the address is an intranet address, as shown in figure 7.

Figure 6 obtaining relevant information

Figure 7 get the native IP address

Knowledge points:

A private address (Private address) is an unregistered address that is specifically used within an organization, commonly known as an intranet address.

The internal private addresses reserved are listed below

Category A 10.0.0.0Mutual 10.255.255.255

Category B 172.16.0.0Mutual 172.31.255.255

Class C 192.168.0.0While 192.168.255.255

0x06 look for a writable directory

First of all, you can see some of the directories through the page, randomly find any picture related to the official website, and check the attributes to know that there is a directory uploads in the website, as shown in figure 7.

Figure 8 getting directory information

In addition, through os-shell, we use pwd to view the current directory, and then view it step by step from the first-level directory through ls. When we see uploads, as shown in figure 8, we have an idea, that is, to upload * through relevant means, because the directory can be known.

Figure 9 viewing catalog information

0x07 write a sentence *

Because in the previous linux reinforcement, using echo to input data into the file to achieve the prohibition of ping, so I wonder if it is possible to write a sentence to the file by this method? Through many attempts in the uploads directory, may be their own technology is too lame, spent a lot of time, almost an echo output to see the success, the content will be written to the file, in a single quotation mark place tossed about for a long time, with\'is useless, has been a failure, did not expect to directly do not just quote success, and finally write a success! I'm so excited. Hey!

Figure 10 write to webshell

0 × 07 kitchen knife connection

By using a kitchen knife, the connection is successful, but the user is www and the permissions are not as large as those of mysql, as shown in figure 9 and figure 10.

Figure 11 get webshell

Figure 12 to view the current user

0x07 related commands cannot be used to solve

Under the www user, as shown in figure 11, ifconfig cannot be used. At this point, we can execute the command file directly by going to the sbin directory, as shown in figure 12, and we can use these commands successfully (or we can execute the command / sbin/ifconfig directly)!

Figure 13 Command execution failed

Figure 14 look at the IP address

0 × 07 extra-curricular

After the connection is successful through the kitchen knife, we can upload the Malaysia for further rights. 1000 words are omitted here on how to raise the rights.

0x07 reference

To get server-related information, you can use Firefox's server-spy plug-in, you can get the site's deployment environment, IP address, script type and other related information!

To get the operating system type, we can change the case of the relevant letters in the directory because linux is case-sensitive, windows is not case-sensitive, and the second is to use the ping command to obtain the operating system type. in general, the TTL value for windows XP/2003 is 128 for Linux, and for 64 Unix, the TTL value for Unix is 255, and the TTL value for windows 7jump 10 is 64, and the TTL value for windows 9598 is 32.

In addition, to get the absolute path of the website, if we can not use the error report, and we can use pwd and ls commands, then we can basically find the absolute path. When we execute some commands and find that the command cannot be found, we can locate the path of the command in our virtual machine, and then go to the path to execute the relevant commands through. /.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.