【IT168 技术】前言
记得有一些关于利用MySQL获得Shell的文章,说的是得到一个root权限,远程连接并建立一个表,在里面插入Shell的内容,然后利用into outfile导出到相应目录,就有了一个后门。我一直没有在意,因为能对MySQL数据库直接操作的机会非常少,而且早已经掌握了,就不用整天拿这个技术当宝,也就淡忘了。Super·Hei看完我的《SQL Injection with MySQL》、《Advanced SQL Injection with MySQL》这两篇文章,就和我说,能不能把导出数据的技术用在注入中,这样可以通过注入获得Shell的机会就很大了,其实关于导出数据在《SQL Injection with MySQL》这篇文章已经提到,而且也挺详细的。本文只讨论通过注入获得Shell,局限性挺大,这种是很灵活的技术,视实际情况而定,但如果利用成功,直接威胁到主机的安全。
实现原理
大家都知道,在MySQL中,无法像MSSQL那样执行script.asp?id=1;insert into table (field) values('angel');--来插入数据,因为MySQL里最多就是用union联合查询。最大的局限就在这里——插入数据,所以我们只能从程序现有的功能入手,其实很多程序都可以提交评论、留言、帖子等,就看程序是怎么把变量插入数据库的。其实道路就在我们身边,靠我们自己去开辟。
不用多说,先看在本地测试的一个简单例子,建立一个表,结构如下:
CREATE TABLE `article` (
`articleid` INT NOT NULL AUTO_INCREMENT ,
`title` VARCHAR( 200 ) NOT NULL ,
`content` TEXT NOT NULL ,
`visible` INT DEFAULT '1' NOT NULL ,
PRIMARY KEY ( `articleid` )
);
`articleid` INT NOT NULL AUTO_INCREMENT ,
`title` VARCHAR( 200 ) NOT NULL ,
`content` TEXT NOT NULL ,
`visible` INT DEFAULT '1' NOT NULL ,
PRIMARY KEY ( `articleid` )
);
浏览文章的文件show.php如下:
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "injection";
mysql_connect($servername,$dbusername,$dbpassword) or die ("数据库连接失败");
$sql = "SELECT * FROM article WHERE articleid=$id and visible=1";
$result = mysql_db_query($dbname,$sql);
$row = mysql_fetch_array($result);
if (!$row) {
echo "该记录不存在";
echo "
SQL Query:$sql
";
exit;
}
function html_clean($content){
$content = htmlspecialchars($content);
$content = str_replace("\n", "
", $content);
$content = str_replace(" ", " ", $content);
$content = str_replace("\t", ' ', $content);
return $content;
}
echo "";
echo "标题:".htmlspecialchars($row['title'])."
--------------------------------------------------------------------------------
\n";
echo "内容:
".html_clean($row['content'])."
--------------------------------------------------------------------------------
\n";
echo "SQL Query:$sql";
?>
$dbusername = "root";
$dbpassword = "";
$dbname = "injection";
mysql_connect($servername,$dbusername,$dbpassword) or die ("数据库连接失败");
$sql = "SELECT * FROM article WHERE articleid=$id and visible=1";
$result = mysql_db_query($dbname,$sql);
$row = mysql_fetch_array($result);
if (!$row) {
echo "该记录不存在";
echo "
SQL Query:$sql
";
exit;
}
function html_clean($content){
$content = htmlspecialchars($content);
$content = str_replace("\n", "
", $content);
$content = str_replace(" ", " ", $content);
$content = str_replace("\t", ' ', $content);
return $content;
}
echo "";
echo "标题:".htmlspecialchars($row['title'])."
--------------------------------------------------------------------------------
\n";
echo "内容:
".html_clean($row['content'])."
--------------------------------------------------------------------------------
\n";
echo "SQL Query:$sql";
?>
