(2) The attacker needs to know the absolute path of the website Yes, there are three execution conditions for os-shell Many people will complain about the use of os-shell, which is how much permission is required to execute it. Through the above analysis, we know the usage and principle of sqlmap os-shell parameters.
#SQLMAP VIA LIMIT LINES TERMINATED BY METHOD HOW TO#
The above code implements how to execute the command after os-shell gets the command and output the execution result to os-shell. Cut out the content of tmpbtfgo.php and get a piece of php code. From the content, I saw that this data package realized uploading a php file similar to cmd.Īs you can see from the picture above, a file of tmpbtfgo.php was uploaded using tmpulujm.php. In the analysis data package, I saw a post data package. Next, it needs to be analyzed in the captured data. Now we can upload files, but think about it carefully, sqlmap provides an os-shell, we have only analyzed the steps that can upload files. One thing I learned is that it can be executed directly under version 4.1.0. The realization is to upload files, and at the same time, modify the permissions of the uploaded files according to phpversion. Here is a brief look at the above file php statement for analysis. Here mainly realizes a function of transferring files to the server. Obviously, the hexadecimal is the php code. #Converted codesqlmap file uploaderto directory: " }?> #Please adjust the format yourself Parse hexadecimal fileĪs shown in the figure above, the hexadecimal number converted to a string is: OR 3616=3616 LIMIT 0,1 INTO OUTFILE '/wamp/Explanation: select * from * limit 0,1 into outfile'/wamp/LINES TERMINATED BY is the parameter of into outfile, meaning that the content after by is used at the end of the line, usually it is'/r/n', here we modify the content after by to the following hexadecimal file. Parse URL (except hexadecimal characters) I think this statement has no practical effect on os-shell. AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1. View Image 0x03 Analysis (1) Packet capture
View Image (5) Establish os-shell and execute commands So choose 2 option, the input path is c:/wamp/www This is because it is built with wamp and installed under the c drive. Sqlmap defaults to php, here you can choose according to your needs. Web page source code: phpmywind, the source code is modified here to facilitate testing. This environment is built with two hosts under the LAN, and the environment is more realistic.Įnvironment: apache, mysql and php built by wamp
0 kommentar(er)
